Unencrypted laptops containing 31,000 patient records have been lost by two NHS trusts.
A laptop containing 11,000 patient records was stolen from a GP’s home in Wolverhampton. And St George’s Hospital in London has admitted that six laptops were stolen from its filing cabinets at the start of the month, containing the records of 20,000 patients.
Both data breaches break Department of Health policy that states NHS mobile devices must be protected by encryption. Neither trust has offered an explanation as to why the data was unencrypted.
The breaches follow news this week that a laptop was stolen from community secretary Hazel Blears’ office. Last week, the government lost two sensitive paper files on terrorists.
The thefts of patient records also follow comments by industry analysts that the NHS should urgently reconsider the UK$12.7 billion digital records system, after Fujitsu pulled out of the program over local trust demands. Some observers suggested patients should instead carry their own smartcards with their data.
The laptop theft in Wolverhampton concerned a doctor at the Castlecroft Medical Practice. Jon Crockett, chief executive at Wolverhampton City Primary Care Trust, said he was “extremely concerned” about the theft and was investigating what had happened.
“Patients and the public have the right to expect that those dealing with confidential information maintain the highest levels of security, and we are carrying out a full and urgent investigation into this incident,” he said.
The laptop was not encrypted, he said, but was protected by a “complex password system”. It contained the names, dates of birth, addresses, contact details and confidential medical records of patients.
Dr Peter Wagstaff, senior partner in the practice, apologized for the incident, and said the police believed the risk of the information being used for criminal purposes was low because the thieves targeted a range of items at the doctor’s house.
But he said the laptop could end up on the market: “It appears to have been stolen for its re-sale value, rather than for any information stored upon it.”
In the London incident, the details of 20,000 patients were stolen, including their name, date of birth and postcode. St George’s Healthcare Trust has written to every patient to apologize and explain the situation.
The trust apologized for losing the laptops, and added that it was its policy for laptops not to contain patient data.
“This was done as a temporary measure because of a problem with the computer network. However, the laptops were in a secure area under lock and key,” it said in a statement. “The data was being used to monitor and reduce waiting times at the hospital.”
It said all data was password protected and personal information such as postcode was hidden, although the patient’s name and hospital number was shown.
David Astley, chief executive at the trust, said the data “will almost certainly be wiped by the thief so he can get a quick sale.”
But he added: “Nonetheless we owe it to our patients to protect their personal information and we have reminded our staff not to store this kind of data on laptops in the future.”