NHS trust reports losses of unencrypted USB sticks

South London Healthcare NHS Trust has reported the lack of two unencrypted memory sticks among a sequence of information losses.

According to an undertaking, within the first incident the device contained data related to approximately 600 maternity patients, while within the second incident, the device contained the names and dates of birth of 30 children and entire audiology reports for an extra three children.

In the primary instance, an employee downloaded the info to a private memory stick with perform a little work from home. As a result of not having received up-to-date information governance training, the worker was unaware that an encrypted device issued by the information controller will need to have been used.

The Information Commissioner's Office (ICO) said in these incidents, the info was put at unnecessary risk by it not being encrypted, but both devices were later found and it's unlikely that they were readily accessible throughout the time they can not be located.

In a 3rd incident, a junior doctor took home ward lists, containing the names, dates of birth, diagnoses, remedies and test results, for 122 patients. In a fourth incident, the information controller reported that some Genito-Urinary Clinic outpatient files weren't locked away when not in use, although they were being stored in areas with secure access controls.

The ICO said that following consideration of the remedial action that have been taken by the info controller, it would not exercise its powers in these cases. Chief executive of South London Healthcare NHS Trust, Dr Chris Streather, has signed an undertaking to enhance security of portable devices, the policies concerning retention, storage and use of non-public data, and physical security.

Nick Banks, vice-president of EMEA and APAC at Imation Mobile Security, said here's another example of what can happen when sensitive information is stored on unencrypted USB drives.

“Had these devices been encrypted, the knowledge would has been inaccessible to anyone finding the device, the patient data would have remained confidential and the NHS trust can have saved itself from the scrutiny and criticism for you to now inevitably follow,” he said.

“USB memory sticks are vulnerable by their very nature because they're specifically designed to be mobile, and as such there's an increased risk of them being lost or stolen. Encryption mitigates this threat by ensuring that if a tool falls into the incorrect hands, the information continues to be securely protected.

“Without knowing more details, we won't speculate at the contents of the trust's policy concerning the use of encrypted memory devices. Organisations have a responsibility to equip their staff with the fitting technology to be certain proper data protection. This suggests supplying encrypted USB devices and investing in management systems to enforce policy, monitor usage or even control precisely what data could be downloaded to USB sticks. Management systems can automatically block the usage of non-encrypted memory devices, so the info breach hence would has been prevented at source.”