Over 150 data losses uncovered in Wales

18 Jul 2008

Fourteen computers have been stolen from NHS trusts in Wales in the last three years, a Freedom of Information request has found.

According to BBC Wales, six NHS trusts have collectively experienced more than 150 incidents of confidential data being lost or stolen from hospital grounds.

Data losses occurred in a variety of ways. In addition to lost and stolen PCs and laptops, these included mixed up paperwork, lost post and misdirected faxes.

The papers released to BBC Wales show that other breaches occurred when staff allowed relatives to read confidential files and clerical errors led to more staff viewing files than necessary.

Welsh health minister, Edwina Hart, told the BBC that she found the FOI findings “pretty horrific” and said more must be done to protect patient confidentiality.

“I regard this as absolute tardiness… we cannot have confidential information on patients going out in this way,” she added. “I appreciate a lot of information flows within the NHS – out of hospitals, into hospitals – but we must try and protect patient records.

“It’s the duty of everyone to ensure that they go to the right address and that records aren’t left lying around.” Hart said she would ensure the head of NHS Wales, Ann Lloyd, and trust chairs took the matter seriously.

One of the worst incidents involved a nurse at Wrexham Maelor Hospital finding a sheet of paper in a puddle that contained confidential information on young patients.

A spokesperson for analysts IDC told E-Health Insider: “Continuing incidents like this clearly show that it is time for IT managers to be responsible for the data they are in charge of.

“Patients do not want incidents like this to happen, and after cases like HMRC, it is understandable that there are concerns. We must get serious about the importance of good quality secure data.

Links

NHS Wales

BBC article

Reader's Comments

Paper in puddles

18 Jul 08 10:08

Err, so the IT Manager is responsible for paper in puddles now are they? With the kind of restrictions some people want to put onto electronic systems I guess it's inevitable we'll have more paper flying about. I wonder how many people really would report a piece of paper like a clinic list that has blown off the top of a trolley as a serious incident. Given this kind of reporting (and general moderation and common sense) I doubt I would!

Pen and paper

18 Jul 08 14:28

Surely the pen and paper were the original Information technology tools?

Who said IT was purely electronic?

I hate to be a Luddite - but I can still read the latin words on the Magna Carta; yet who can read punched paper tapes, ferrous tape reels or even 8" floppies? Come to that there isn't a single 3.5" floppy drive on this floor........

Rights and Responsibilities

23 Jul 08 16:01

If you are going to give the IT Manager the responsibilities you also must give him/her the rights to exercise control. As everyone knows the security rules apply to everyone except those at director level or above or hold any type of clinical job ('If I cant get on face book it'll kill this patient etc. etc.'). Otherwise we (oops I mean they) can claim unfair dismissal and get thousands and thousands of pounds for sitting at home doing nothing. Hang on a minute. Forget I posted this.

Blame it on the IT Manager again .......

24 Jul 08 09:06

"A spokesperson for analysts IDC told E-Health Insider: “Continuing incidents like this clearly show that it is time for IT managers to be responsible for the data they are in charge of."

That comment from a "spokesperson" pretty much sums it up. Once again the IT manager is blamed. It's high time people realised that the IT Manager provides the tools that enable people to do their jobs more effectively and efficiently (and before anyone says "you should see our IT system" imagine working without it)

Everyone, and I mean everyone, is responsible for Information Security and until people get that through their heads then incidents such as this will continue to happen. I am heartily sickened by people passing the buck onto the IT department (and no I'm not an IT person). IT can provide encryption tools, but it is the individual who makes the decision to download PID onto thier own USB Key, or e-mail patient lists to thier webmail address or undertake some other damned stupid practice that jeapordises the security of the information.

Maybe the quote should have been “Continuing incidents like this clearly show that it is time for IT managers to be given the proper resources to enable information security to be taken seriously within the NHS".

Were it not for moderation my language would have been remarkably stronger. But, in short, BUCK UP, WAKE UP AND SMELL THE COFFEE PEOPLE, THE WEAKEST LINK IN THE CHAIN IS YOU!!!

No problem...

24 Jul 08 10:11

As someone reasonably senior in IT, I can hapilly lock the systems down tighter than a very tight thing. Block all drives, USB etc and implement very strict website controls and email scanning - perhaps blocking any incoming attachments not to mention any non work websites. Also stop any collection of data not via an approved system so no more excel spreadsheets and access databases with PID in.

How long do you think we could do this before being forced to loosen security? - I'd give it about an hour.

A whole hour!

24 Jul 08 11:25

You work for the NHS and yet you're still an optimist? - A very rare breed indeed.