A medical practice breached the Data Protection Act when it lost an unencrypted memory stick containing the personal details of 8,000 patients, it has been ruled.
Lampeter Medical Practice was deemed to have breached the act after a member of staff downloaded the database of patient details in a clear contravention of practice policy, the Information Commissioner’s Office said.
The information was downloaded to a non-password protected computer memory stick that was unencrypted, and then posted by recorded delivery to the Health Boards Business Service Centre.
The memory stick is now deemed to be lost as it did not arrive at its intended destination.
Dr Rowena Mathew, head of practice of Lampeter Medical Practice, has agreed to take remedial action by ensuring that sufficient steps are taken to ensure a security breach does not occur again.
This includes ensuring all mobile devices such as laptops and memory sticks are encrypted, ensuring physical security measures are sufficient and making staff fully aware of the organisations’ data security policy.
Sally-anne Poole, Enforcement Group manager, said: “It is unnecessarily risky to download 8,000 personal details onto a memory stick.
“It is imperative that staff are made fully aware of an organisation’s policy for securing personal data, and any portable device containing personal information should always be encrypted to prevent it being accessed in the event of loss or theft. I am pleased Lampeter Medical Practice has agreed to take action to prevent a similar security breach happening again.”
Copyright © Press Association 2010
Your comments (terms and conditions apply):
“Surely, all practices are meant to have data security at the top of their list of computing policies! After all the publicity about lost laptops and mobile devices in recent years, it’s hard to believe this is still happening. It highlights to me the problems with the Summary Care Record. Great idea in principle but with 1.3m NHS staff and, at a conservative estimate, 400,000 with clinician level access, I wouldn’t trust the security of the data and if I don’t as an NHS staff member, who will?” – Name and address withheld