Laptop with 8.6 million NHS records vanishes from hospital

Data was unencrypted...

A laptop containing unencrypted medical data for 8.63 million people has reportedly gone missing from a storeroom of a health authority in London, potentially the biggest data loss disaster ever to befall the NHS.

Details of the loss, reported in The Sun newspaper, are sparse so far but it appears that the machine was one of 20 that disappeared from a store used by NHS medical research organisation London Health Programmes, run by the North Central London health authority.

Information on the laptop included details on 18 million hospital visits over an unknown period of time, including the postcode, age, ethnic origin of the patients concerned, but not their names. Harder to explain is that the machine seems not have been encrypted which suggests the data might not be current.

The health authority concerned has yet to make any statement on the matter with the Information Commissioner's Office (ICO), whose job it will be to investigate the incident, keeping its comments to a bare minimum.

"Any allegation that sensitive personal information has been compromised is concerning and we will now make enquiries to establish the full facts of this alleged data breach," the ICO said in an emailed response.

Others have been more forthright.

"Regardless of whether this laptop has been stolen, lost, dumped or is simply sitting in a cupboard somewhere, the key point is that the data on it wasn't encrypted," said Chris McIntosh, CEO of public sector security consultancy ViaSat UK.

"When a machine contains highly sensitive information on literally millions of patients, not securing the data on it by any means possible isn't just careless; it's sheer negligence."

Whether the laptop lacked encryption has yet to confirmed but if it wasn't hard questions will be asked of the authority's IT security policies. Best practice compliance mandates encryption on movable devices but that assumes that the presence of the data on the lost machine was allowed in the first place.

Hitherto, the NHS has a fair record of data security when set against the sheer size of the organisation and the tens of millions of patients it deals with. Last October, a Scottish health board was ticked off by the ICO after a boy found a USB stick containing patient records in a car park.

Elsewhere, the NHS has been a big investor in encryption for portable storage, with a coalition of NHS Trusts buying an encryption management system from Swedish company Safestick in 2009. A year earlier, the NHS admitted it was struggling to encrypt patient data.

If confirmed, the latest loss will still be smaller than the notorious 2007 incident when another wing of the UK state, Her Majesty's Revenue and Customs (HMRC) managed to lose 25 million child benefit records on a stack of CDs sent through the post.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityInformation Commissioner's Officepublic sector

More about ICOViaSat

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts