back to article NHS trust loses personal data of 600 maternity patients, kids

South London healthcare trust has admitted to losing two unencrypted memory sticks containing sensitive personal data about patients. The data breaches occurred in separate incidents. In the first breach, the device contained data relating to around 600 maternity patients, according to an undertaking signed by the trust with …

COMMENTS

This topic is closed for new posts.
  1. Ru
    Meh

    "Due to not having received up to date information governance training..."

    maybe they actually meant "Due to living under a rock for the last 5 years (or possibly longer) the employee had not heard of the dozens of incidents whereby an idiot taking work home lost confidential data."

    or, being a little more charitable, "Due to a critical mass of bureacracy, we have been unable to send a trust-wide email say "oh come on guys, stop losing unencrypted stuff""

    There is no excuse for this these days. Ignorance didn't really suffice back in the day either.

    1. Anonymous Coward
      Anonymous Coward

      Re: "Due to not having received up to date information governance training..."

      Or maybe the trust made any other way of working so ludicrously complicated that everyone just ignored their advice? My own employers tried to ban the use of all removable media and all online storage services, including Dropbox. No alternative was provided or suggested. Result: everybody uses USB drives and Dropbox.

  2. Anonymous Coward
    FAIL

    Again.....Taking the piss now.

    Not a MONTH goes by without some numpty losing data, but this:

    "A data controller employee downloaded the data on to a personal memory stick in order to do some work at home." takes the piss on a grandious scale.

    WHY is someone taking confidential data home.

    WHY is that data not encrypted at source.

    WHY, if they need to work from home, are they not using VPNs.

    WHY does this ALWAYS go unpunished.

    You would really think that, with the billions of pounds spent on NHS I.T that someone would have the foresight to either disable USB ports, encrypt the data at source or make taking confidential data home a dismissable offence (unless you are on a white list). But no. They should stop employing the fuck-wits the NHS employ as IT admins and grab a savvy, IT literate member of the public whom doesnt have a budget constraint as the foremost thing in their agenda, but whom does know how to disable USB ports, CD writers etc.

    Absolute bollocks this.......I shall wait for the ICO to whimper that "procedures have been put in place to stop it happening again". You know, as they said after the last leak and the one before that.. Ad nauseum....

    1. John G Imrie

      Re: Again.....Taking the piss now.

      >WHY is someone taking confidential data home?

      Because if they did the work that needed to be done in the office it would count towards their 40 hours of *work* under the EU Working time directive. Making the staff take it home means that (a) it's not counted against working hours and (b) the NHS doesn't have to pay for it.

      >WHY is that data not encrypted at source.

      Because the system went through the usual Government IT tendering process, which meant the the winning bid, in an effort to under cut its rivals, skimped on the non essentials such as logging and encryption

      > WHY, if they need to work from home, are they not using VPNs.

      See above. Also you actually need to hire someone who knows what a VPN is and how to set one up.

      > WHY does this ALWAYS go unpunished.

      Because punishing the pour harassed member of staff, who was probably only following their managers instructions to 'get that report finished before Monday' is unfair . And the actual Numpty who signed off on the contract left 2 years ago to go and work for the winning bidder.

      1. smsman99
        FAIL

        Re: Again.....Taking the piss now.

        While I can see the sentiment of your comment, I think you have missed the target here.

        The Working Time Directive is a toothless wonder that limits working hours for over 18s to 48 hours and unpaid overtime that you volunteer for does not count as work under the Directive.

        I have some experience of "the usual Goverment IT tendering process" and while there are indeed instances of bidders "skimping on non essentials", there should be safeguards in place to identify these. I always find it curious that when it all goes wrong people fall so easily for the "it was the nasty supplier wot done it" excuse. It's as though being crap at the job was a valid excuse.

        Perhaps the poor harassed member of staff should tell the mamanger that the data protection procedures are not conducive to getting the report finished by Monday. Then come up with some suggestions about how these procedures may be improved.

        The key points here remain:

        Why was sensitive data relating to 600 maternity patients taken *HOME* in the first place. This, in itself, is more alarming that the medium used to transport it.?

        Why were ward lists "contained the name, date of birth, diagnosis, treatment plan and test results for 122 patients." (the paper files mentioned in the article) allowed to be taken out of the hospital by a junior doctor?

        To me, these just sound like poor procedures, poor implementation and poor or non existent enforcement for which both management and staff share responsibility.

        1. Ian Johnston Silver badge
          FAIL

          Re: Again.....Taking the piss now.

          "Why was sensitive data relating to 600 maternity patients taken *HOME* in the first place. "

          Most midwives in my neck of the woods work from home, for obvious reasons. They couldn't do their jobs if they didn't have data on their patients (or access to it) at home.

          Brrring-brrring. Brrring-brrring.

          "Hello, duty midwife here"

          "I've just gone in to labour. I think the baby's coming now."

          "OK, I'll just drive forty miles to the hospital, get your case note and drive forty miles back to see you. See you in a couple of hours"

    2. Anonymous Coward
      Anonymous Coward

      Re: Again.....Taking the piss now.

      Except of course the one thing the NHS isn't as far as IT is concerned is "national" - each trust has its own IT staff. Despite all these incidents there are plenty of trusts that you _don't_ hear anything from, because they have implemented port control, encryption, added Information Governance training to the Statutory and Mandatory training portfolio (and check that people are up-to-date with it) etc. Please don't tar _all_ NHS IT staff with the same brush.

      But I agree there is no excuse for the trusts that haven't done all these things ... particularly when other organisations are usually only to willing to share advice, documentation etc with our colleagues.

      (AC obviously due to my current employment!)

      1. Anonymous Coward
        Thumb Up

        Re: Again.....Taking the piss now.

        Point taken.

        To the trusts that DO employ safe data practices, i apologise.

    3. Ian Johnston Silver badge
      Thumb Down

      Re: Again.....Taking the piss now.

      ""A data controller employee downloaded the data on to a personal memory stick in order to do some work at home." takes the piss on a grandious scale.

      WHY is someone taking confidential data home."

      I think there might be a clue in "to do some work at home". VPNs are all very well, as long as everything is centrally stored at the employer's end. It's a fat lot of good if stuff is stored on desktop machines.

  3. jon 72
    Trollface

    I'm missing something as well...

    after the millions that of been spent so far building this fully intergrated (secure?) system and the veritable plethora of encrypted wifi signals that now radiates from my local hospital, why were files being moved by memory stick at all?

    1. Andy Gates

      Re: I'm missing something as well...

      Probably because it's a damn sight easier. Clinicians don't need to jump through a bunch of IT hoops (bureaucratic and techie); they need an It Just Works solution, and as we see repeatedly, if you don't give 'em one, they work around the secure-but-cumbersome system in place with a convenient-but-insecure kludge.

    2. Anonymous Coward
      Anonymous Coward

      I suspected some of the reasons are:

      Three full time staff working the same hours have to hot-desk on the same computer.

      The computer is sufficiently locked down to prevent network access to the data.

      The computer is sufficiently locked down to prevent installing the software required to process the data.

      The computer is sufficiently locked down to prevent installing encryption software.

      The nearest working printer is in a different building waiting for someone to change the paper because someone forgot to change the paper size to A4 on their word document.

      The IT staff would be happy to help, but they have no budget and are busy fire fighting because there has not been enough money in the budget for over five years.

  4. Blofeld's Cat
    Facepalm

    Umm...

    "A data controller employee downloaded the data on to a personal memory stick [...] the employee was unaware that an encrypted device issued by the data controller should have been used"

    So, if I read this correctly, the person who lost the data works in the department that has the job of making sure people don't lose data.

    Sounds like the lunatics special people are running the asylum mental health outreach unit.

    1. Anonymous Coward
      Anonymous Coward

      Re: Umm...

      No, the "data controller" in ICO parlance is the organisation which owns and stores the data. In this case, that would be the NHS Trust, so any employee of the Trust is part of the "data controller".

  5. Anonymous Coward
    Anonymous Coward

    I currently work in the IT department of an NHS trust, and when ever I see reports like this, I just have wonder what the hell some other trusts IT departments actually do to earn their money.

    AC, for obvious reasons

    1. Anonymous Coward
      Anonymous Coward

      I think they're maybe taking a leaf out of that German civil servant's book. The one that announced upon departure that he hadn't done any work in 19 years.

  6. Anonymous Coward
    Anonymous Coward

    NHS IT Worker here

    I'm going to echo what other NHS employees have said, how do some of them earn their money? All our USB ports are locked down and only let approved encrypted USB stick to be accepted. It wasn't even expensive to implement, on the scale of things.

    1. Anonymous Coward
      Anonymous Coward

      ...it's a lovely idea but how are you supporting the multiple USB temperature monitoring devices that are delivered with drugs, USB dongles in order to run some imaging and pathology machines etc.

      Either you are supporting a tiny cottage hospital or actually have a reasonable IT budget!

      1. This post has been deleted by its author

      2. Anonymous Coward
        Anonymous Coward

        USB ports have a white list, approved devices work (think it's based on serial number, although I don't administrate the system so I'm not sure).

        We are a 7000+ users Trust, we are a large NHS organisation. Data security is worth it, the fines if you lose data make any project like this worth it, not to mention the bad press.

      3. Sir Sham Cad

        Re: It's a lovely idea but...

        Read only access to non-trusted USB devices.

        1. Anonymous Coward
          Anonymous Coward

          Re: It's a lovely idea but...

          > Read only access to non-trusted USB devices.

          No it's all or nothing. They still will give you power though if disabled.

          1. Sir Sham Cad

            Re: It's all or nothing

            Sorry but it isn't. Every endpoint security package I know and have seen in anger allows you to specify how you handle non-trusted devices. Usually this is done with a hardware fingerprint (make/model/serial) and devices can be blocked completely, set to read only or set to read/write depending on any number of factors including the logged on user (Hello, Can-O-Worms).

            Now I know this requires a software licence so this needs budget, as opposed to just locking down all USB ports which I think is what you're talking about doing. The technology does exist, though, and it's not hard to implement (if you have the dosh). IMHO this should be a core part of any enterprise infrastructure these days but, as with all IT security, it's hard to get a business case past the "It's never happened before so we don't need to spend money preventing it" financial firewall.

            1. Anonymous Coward
              Anonymous Coward

              Re: It's all or nothing

              Sorry, to clarify, OUR policy is it's either approved and encrypted or it won't be accepted at all. Of course we can allow non trusted devices read only but we choose not to, and I'm sure it's for the best.

              When apparently it's a cool up-to-half a million per data loss incident, maybe it should be looked at again.

              1. Mark 65

                Re: It's all or nothing

                Maybe some things like this should be mandated and funded by central Government where the shear scale should drive a much better licensing bargain rather than being left to trust where some have better scale/competence than others. Emphasis on the "should".

  7. Anonymous Coward
    Anonymous Coward

    What was the employee doing putting that data on a personal device?

    That kind of behaviour borders on the criminal.

  8. Dave Bell

    Er who?

    So what is a "data controller employee"?

    AFAIK, "data controller" has a specific legal meaning under the DPA, and this all feels a funny way of saying IT worker, implying a pretty direct chain of authority. It's almost as if there's some outsourcing going on here. And what the heck are they doing to the data? Selling it to Mothercare?

    And, now, I don't see how the government's brilliant plans to put GPs in charge are going to help. Based on my experience, GPs don't seem able to attain reliable communications, never mind secure coimmunications.

    1. Ian Johnston Silver badge

      Re: Er who?

      As soon as you get a positive pregnancy test the NHS sells your details to all sorts of organisations. The amount of bumph which arrives from Bounty and the like is astonishing.

  9. Tom 7

    My only worry is if they encrypt it

    it will be lost to everyone for ever.

  10. Captain Mainwaring
    Pint

    Everyone should have one

    What about installing a standard encryption package on every PC within an organisation? Should any individual feel the need to take home any confidential information, they could create a self extracting encrypted file on their memory stick and take it home to work on. If they were to carelessly misplace the said memory stick at any point, they would be safe in the knowledge that at least it's contents would be hard to get to if it did fall into the wrong hands. Would this be too costly or impractical for an NHS trust to implement across the board? I'm sure most people who work on a PC day-in, day-out, would have the knowledge and experience to handle such an encryption package with little or no training.

    1. Anonymous Coward
      Anonymous Coward

      Re: Everyone should have one

      Two issues here:

      1)The cost to encrypt our 1500 laptops within our organisation is ludicrous! yes thereis free software out there, but not of the required standard and doesnt provide centralised control. To encrypt all of the PCs for an NHS organisation, even a small one would be astronomical!

      2)Imagining that the majority of staff would be able to handle an encryption package on their desktops is increidbly naive! You need to remember that the majority of staff have no idea how to remember a password from one day to the next...

      1. Mark 65

        Re: Everyone should have one

        Won't bitlocker do it? That obviously assumes not running XP which is probably the OS in use.

  11. Winkypop Silver badge
    Joke

    Apparently the NHS staff memo was available...

    ...but it was on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying 'Beware of the Leopard'

  12. Inachu
    FAIL

    HAhahahah

    I blame the family members of the employee who lost it.

    Everyone who brings stuff home from work should have any area inside his house that is off limits to other family members and friends.

    Back in the 1940's men had their lab room(basement) pad locked away.

    Too bad those days are gone.

  13. Grease Monkey Silver badge

    Why the hell are they allowing sensitive data to be bunged on memory sticks in the first place?

  14. John A Blackley

    Take a look

    At the HIPAA security rule operating in the United States. Particularly take a look at the penalties.

    If the government is not willing to impose sanctions of this order then any trust will be able to, at any mention of encryption, fake a fainting spell, mumbling, "The expense! Oh the expense!"

    Of course the potential expense to those whose identities get stolen isn't a factor at all.

  15. Alex C

    when I were a lad and all this was fields

    Nobody would have cared.

    Honestly I know they're not supposed to lose these records, but the vast majority I hope will be handed in to hospital / police as appropriate or has in fact not really been lost but fallen down the back of the sofa, under the driver's seat etc only to be found later and quietly handed in.

    The only time there's a problem is if someone decides to use this for nefarious purpose, and I agree that the details here probably suffice to take out credit / passports in the baby's name or what-have-you.

    I wonder how often credit fraud happens as a ratio of the seemingly endless number of procedure failures? I hope that most of us still know right from wrong in any case

  16. Glenn Charles
    Paris Hilton

    OH WTH

    I keep losing my own personal data. Now who am I?

This topic is closed for new posts.

Other stories you might like