Reports are coming in that a member of staff at one of NHS Forth Valley’s secure mental health units has been suspended over the apparent loss of a USB stick containing patient’s medical records.
Since the case involves a data loss involving medical records, it may well be referred to the regional office of the ICO (Information Commissioners Office) in Edinburgh for investigation and likely further action.
According to local newspaper reports, a 12-year-old boy found the USB stick—which contained sensitive information on some of the staff and patients at Bellsdyke hospital’s Tryst Park facility—at a supermarket in nearby Stenhousemuir.
The case is the latest in what has become a long history of NHS data losses that David Smith, the ICO’s deputy commissioner, directly referred to in his keynote speech at the Infosecurity Europe show last week. Smith had singled out the NHS for criticism on the volume of its data breaches and losses, noting that the health agency is responsible for one third of data breaches.
As the deputy information commissioner said at the London event, in most cases the ICO will record an incident but not action it, but it does take action involving large-scale breaches where there is potential harm to individuals, he said. This is just such a case, as the Tryst Park facility provides long-term care for adults with severe mental health problems.
The NHS Forth Valley has done the right thing and started an urgent enquiry into the incident, suspending the member of staff alleged to have lost the USB stick in question. It’s interesting to note that the first four months of last year were a poor time for NHS data security when it was reported that the health service suffered 140 security breaches in that period.
As I said at the time, the fact that the Information Commissioner took action against 14 health trusts in the six months to April 2009, highlights the urgent need for encryption of payroll, human resource and medical records of all types.
The ongoing migration of medical records in many health trusts to electronic format has not helped matters, but, again, as I said 12 months ago, as the UK’s various health entities migrate their patient records over to wholly-electronic systems, the argument for the highest level of encryption really starts to come into play.
As I noted then, whilst it’s good to hear that the Information Commissioner calling for an urgent review of NHS data security, nothing much has changed—we’re still seeing entirely unnecessary data breaches like this.
I reiterate my suggestion that there needs to be a NHS technology czar to oversee the process. The technology required to protect data on laptops and removable media is available in the market today, is not particularly difficult to deploy, and can immediately mitigate these risks. If the NHS doesn’t move quickly to fix its grass roots security processes, these data leaks will carry on happening.
It’s now time for the ICO to act and push for the appointment of an NHS technology czar to oversee data security issues at all levels—and taken action against those health bodies that fail to protect their patient’s data.