South London has four data ‘near misses’

  • 13 April 2012
South London has four data ‘near misses’
The Information Commissioner’s Office will not take regulatory action over NHS Digital/

Employees at South London Healthcare NHS Trust have breached the Data Protection Act four times in the past year, on one occasion leaving sensitive patient data in a grocery store, according to the Information Commissioner’s Office.

The trust informed the ICO of the loss of two unencrypted memory sticks, of ward lists left in a grocery store, and a failure to adequately secure some patient paper files when they were not in use. Each incident involved the loss of sensitive patient data.

The first USB stick was lost after an employee downloaded data onto a personal, unencrypted device in order to do some work at home.

The employee, who had not received the latest information governance training, misplaced the device, resulting in the loss of data relating to around 600 maternity patients.

The second incident involved a memory stick that contained the names and dates of birth of 30 children and full audiology reports for a further three children.

An undertaking to improve data security in the future, signed by the trust, says: “both devices were later found and it is unlikely that they were readily accessible during the time they could not be located.”

The ICO also found that a junior doctor was in breach of trust policy by taking ward lists containing the name, date of birth, diagnosis, treatment plan and test results for 122 patients out of the hospital, subsequently leaving them in a grocery store.

In the final incident, South London reported that some genito-urinary clinic outpatient files were not being locked away when not in use. However they were being stored in areas with secure access controls.

The ICO decided against exercising his powers to serve an enforcement notice under section 40 of the DPA after “remedial action” was taken by the trust.

A spokesperson for South London Healthcare told eHealth Insider: "The trust has implemented a range of measures to ensure that the incidents which took place last year do not happen again.

 

“These include ensuring all that all USB sticks issued by the trust are encrypted and that computers at the trust will only accept encrypted USB sticks.

“This means that if a USB stick is inadvertently left unattended, the contents on the stick will not be accessible to members of the public. Also the trust continues to focus on improving information governance training levels for all staff."

Board papers from a public meeting held on 25 January report the incidents as “near misses.”

 

Subscribe to our newsletter

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Sign up

Related News

Advanced fined £6m over stolen patient data in 2022 cyber attack

Advanced fined £6m over stolen patient data in 2022 cyber attack

The Information Commissioner’s Office has imposed a £6.09m fine on Advanced for failing to protect personal information during a cyber attack.
ICO guidance on transparency published for health and care sector

ICO guidance on transparency published for health and care sector

New guidance has been issued by ICO over how health and care organisations should be transparent over the use of personal information.
ICO reprimands NHS Lanarkshire for sharing patient data via WhatsApp

ICO reprimands NHS Lanarkshire for sharing patient data via WhatsApp

The Information Commissioner’s Office (ICO) has issued a reprimand to NHS Lanarkshire following the use of WhatsApp by staff to share patient data.