UK: ICO slaps Warrington and Halton Hospitals NHS with Undertaking

From an undertaking posted to the ICO’s web on Friday without any companion release to indicate when the breach occurred or when it was reported to the ICO:

The Information Commissioner (the “Commissioner”) was provided by the data controller with a report of the theft of an unencrypted laptop storing personal data. The laptop was used by the Audiology department to carry out medical diagnostics. The laptop stored 110 patients’ names, addresses, telephone numbers and medical charts. It was noted that it was unlikely that the medical charts would be intelligible to anyone other than an audiology professional.

It is the data controller’s policy to encrypt all portable media. The laptop had no alternative security features and was not password protected. This laptop was not encrypted because it was issued by the Medical Engineering department as a diagnostic device. A failure in internal communication meant that the laptop was not identified as a security risk by the data controller’s IT department. The data controller has proposed appropriate remedial action following this incident.

You can read the full undertaking on the ICO’s site. I don’t see any media coverage of this incident.

About the author: Dissent

Comments are closed.