The Register® — Biting the hand that feeds IT

Feeds

8m health records go walkabout

Unencrypted, password-free blackmailer's starter kit

By John Oates, 15th June 2011
  • print
  • alert

What you need to know about cloud backup

A London health authority has admitted losing a laptop which contains 8.6 million health records.

The machine was lost three weeks ago, but has only just been reported missing to police and the Information Commissioner's Office.

We've asked North Central London health board why it needed to store 8.63 million health records on an unsecure laptop in the first place.

They sent us the following: "NHS North Central London is investigating the loss of a number of laptops. One of the machines was used for analysing health needs requiring access to elements of unnamed patient data. All the laptops were password protected and our policy is to manually delete the data from laptops after the records have been processed. NHS North Central London operates under strict data protection guidance and is taking the matter extremely seriously. We have started an investigation into the issues raised by the loss. We are liaising with the office of the Information Commissioner."

The machine was one of 20 lost from a storeroom at London Health Programmes - a research body based at NHS North Central London, the Sun reports. Eight of the 20 have been recovered, but the authority is still looking for the other 12.

The records contain no names but do include other identifying information like age, gender, postcode, medical history, hospital visits, HIV status and mental illnesses.

An ICO spokesperson said: “Any allegation that sensitive personal information has been compromised is concerning and we will now make enquiries to establish the full facts of this alleged data breach.”

A Department of Health spokesman later sent us this statement:

"All NHS organisations are legally required to comply with Data Protection legislation and are expected to take data loss extremely seriously, be open about incidents and about the action taken as a result.

"We have set clear standards for NHS organisations to adhere to on data handling, and have issued guidance that sets out the steps they must take to ensure records are kept secure and confidential.

"Local NHS organisations are responsible for implementing these data handling processes, including which staff need to have access to health records, and for compliance with Information Governance standards." ®

Agentless Backup is Not a Myth

COMMENTS

House Rules Send Corrections
All Reader Comments (56)
Highly Rated
Oliver Mayes

Lets analyse this statement a bit shall we?

"All the laptops were password protected"

means - We created an account in Windows with a username and password of admin/admin.

"our policy is to manually delete the data from laptops after the records have been processed."

means - We require staff to spend time doing something boring and long winded, ensuring that no-one bothers.

"We have started an investigation into the issues raised by the loss."

means - We are paying a consultancy agency several hundred thousand pounds to recommend that we start using encryption.

13
0
Anonymous Coward

What, again !!

I can't believe that once again, private information has been pinched ("lost from a storeroom") - what a load of bullsh*t. Password protected can be got around; it needs proper encryption. I guess the saving grace (if true) is that no names were on there. As a slightly unrelated side note I did some work for the MoD but at lunchtime everyone disappeared leaving me alone with many computers with no screen saver passwords. I'm so glad we've got a good secure defence strategy.

13
0
Anonymous Coward

People should be fired..

Fines don't work (it will be the tax payer who ends up paying anyways) ; kick out the management and make an example of them all.

The story doesn't make much sense, "One of the machines was used for analysing health needs requiring access to elements of unnamed patient data. All the laptops were password protected and our policy is to manually delete the data from laptops after the records have been processed"

"The machine was one of 20 lost from a storeroom".. So why wasn't the data deleted? How many more machines are lying around that health authority with data on them?

8
0

More from The Register

SCO vs. IBM battle resumes over ownership of Unix
Zombie lawsuit back and wants to suck the brains out of Linux
116
breaking news
Jailed LulzSec hacker Cleary coughs to child porn images, will be freed soon
Some images of infants as young as six months
68
NSA whistleblower to tech firms, Obama: 'Grow a pair!'
Ed Snowden: Email tracking grabs 'IPs, raw data, content, headers, attachments, everything'
66
breaking news
Ecuador: All right, Julian, you CAN stay on our sofa - it's your human right
Minister and Wikileaker share cosy chat in tiny London flat
65
Google flings another £1m at online child sex abuse vid CRACKDOWN
See, see, we're trying, ad giant tells Daily Mail UK.gov
41
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
breaking news
BBC lied to Parliament about doomed £100m IT monster, thunder MPs
Axed DMI ballooned and burst while watchdogs sang Kumbaya
50
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Not just telcos, THOUSANDS of companies share data with US spies
It's all perfectly legal, trust us
68