Yet again, an NHS trust is hit by a data breach, as reported in SC magazine today. This time a CD of patient data was found at a bus stop. This is not to be confused with the data breach from the USB stick containing medical records that was found in a UK car park.
It is barely a month since we blogged on this topic, NHS Trusts Failing to Protect Information, and the Information Commissioner’s Office (ICO) issued a press release with the ominous title Poor Data Security in the NHS. Earlier in June, Mick Gorrill, head of enforcement at the ICO, said: “Everyone makes mistakes, but regrettably there are far too many within the NHS. Health bodies must implement the appropriate procedures when storing and transferring patients’ sensitive personal information. We have taken a number of steps to explain the importance of personal data to NHS bodies and help them comply with the law. We will continue to do so.”
Looks like Mike and the ICO have their work cut out for them. Here is a checklist of to-don’ts that the ICO might find helpful in their data protection enforcement efforts with the NHS trusts.
• Don’t use USB sticks for transferring confidential patient data
• Don’t use CDs for transferring confidential patient data
• Don’t post confidential patient data on unsecure FTP sites
• Don’t allow use of P2P file sharing on NHS computers
Also our earlier blog posting Top 3 File Transfer Security Mistakes should be required reading for all NHS trusts.