News that East Surrey Hospital has lost the medical details of 800 patients on an unencrypted memory stick is just the latest in a string of NHS data faux pas, says Cryptzone, but that does not lessen its potential impact on the people and their families concerned.
According to Grant Taylor, the European IT threat mitigation specialist's UK VP, ever since David Smith, the Deputy Commissioner with the ICO revealed in April last year that the NHS is responsible for one third of data breaches reported to his office there has a been a steady stream of patient data losses reported in the media, with censures and undertakings signed by the various health trusts involved.
"But has this changed the NHS' strategy on data security? Judging from the stream of NHS data loss reports in the 18 months since the ICO Deputy Commissioner's revelations at Infosecurity Europe 2010, nothing much has changed. This is an utter disgrace," he said.
"The sad reality is that, with around one in twelve adults employed or involved within the NHS in some way or another, it is perhaps understandable that patient data losses are going to keep on taking place. But that doesn't make them any more acceptable, nor should it detract from NHS IT security professionals' ongoing task to stop incidents like this from taking place," he added.
Taylor went on to say that, judging from local media reports, the 800 patients' details which included details of the names, dates of birth and, perhaps more worryingly, details of their operations were lost in September of last year and have never been recovered.
The Cryptzone VP says that, whilst reports like this are perhaps inevitable, Surrey and Sussex Healthcare NHS Trust has done itself no favours in the way it has dealt with the incident, apparently only choosing to reveal the data loss in its annual 2010/2011 report.
Equally unacceptable, he adds, is the fact that the healthcare trust did not inform the affected patients of the data loss, although, presumably, the ICO's office was informed.
Taylor noted that the other area of concern is that there were reportedly nine other `near misses', where information was mislaid but found, suggesting, he says, that there is a casual approach to data security within the trust.
"Had this been a private company, rather than an NHS Trust, the organisation would have been publicly censured and a large fine levied under the Data Protection Act. The fact that this is a government agency that has experienced a total of 10 data loss incidents - and one where the data was not recovered is a highly questionable," he said.
"All 800 of the affected patients have every right to feel aggrieved, especially if some of their operations were of an embarrassing nature. The way in which Surrey and Sussex Healthcare NHS Trust has made this data loss public, needs thorough investigation. It is human nature to make mistakes, but this incident could have been so easily prevented through better user education and the application of widely available encryption technologies."