UK: Patients' details lost on train by Hertfordshire doctor (updated)
East and North Hertfordshire NHS Trust has been found in breach of data protection after a doctor lost a memory stick on a train.
The junior doctor had recorded details of patients’ conditions and medication on the device and was meant to hand it over to the next doctor on shift.
But the doctor forgot and lost the unencrypted device on the way home.
Read more on BBC.
There’s no statement on the ICO’s web site or on the trust’s web site at the time of this posting.
Update: The ICO has now posted their release on the matter:
The information Commissioner’s Office (ICO) has found East & North Hertfordshire NHS Trust to be in breach of the Data Protection Act after an unencrypted USB stick containing sensitive personal data was lost on a train journey home.
The USB stick was used by a junior doctor to record brief details of patients’ conditions and medication before being handed to the next doctor on shift. In this incident the doctor had accidentally taken the USB stick home intending to forward the data electronically, but lost the unprotected device on a train. It has not yet been recovered. The doctor informed the Trust immediately after discovering the loss and a full investigation was conducted. Enquiries by the ICO revealed that the junior doctor had not been aware of the Trust’s data protection policies and did not have access to email to receive policy reminders and updates.
It was also discovered that the Trust’s policies on the use of personal USB sticks were not clear and no technical measures were in place to prevent misuse of portable devices.
Nick Carver, Chief Executive of East & North Hertfordshire NHS Trust, has signed an Undertaking agreeing to take a series of steps to ensure that the Trust’s policy on the use of portable devices is clear and
communicated to all staff. The Trust has also agreed to provide training for all staff who have access to personal information. The Undertaking also requires the Trust to regularly monitor for compliance with security procedures and to implement appropriate safeguards to prevent a similar breach in the future.
Mick Gorrill, Head of Enforcement at the ICO, said: “Storing sensitive personal data on unencrypted data sticks is a risk Trusts should not be willing to take. If it is vital to store information for handover, this must be done with the highest security measures in place. Furthermore, it is vital that employees are fully aware of processes which could have prevented this incident from occurring. I am pleased that the Trust has agreed to take practical and effective steps to ensure such an incident does not occur again.”
A full copy of the Undertaking can be viewed here: