Computerworld UK - A laptop containing unencrypted medical data for 8.63 million people has reportedly gone missing from a storeroom of a health authority in London, potentially the biggest data loss disaster ever to befall the NHS.
Details of the loss, reported in The Sun newspaper, are sparse so far but it appears that the machine was one of 20 that disappeared from a store used by NHS medical research organization London Health Programmes, run by the North Central London health authority.
Information on the laptop included details on 18 million hospital visits over an unknown period of time, including the postcode, age, ethnic origin of the patients concerned, but not their names. Harder to explain is that the machine seems not to have been encrypted which suggests the data might not be current.
The health authority concerned has yet to make any statement on the matter with the Information Commissioner's Office (ICO), whose job it will be to investigate the incident, keeping its comments to a bare minimum.
"Any allegation that sensitive personal information has been compromised is concerning and we will now make enquiries to establish the full facts of this alleged data breach," the ICO said in an emailed response.
Others have been more forthright.
"Regardless of whether this laptop has been stolen, lost, dumped or is simply sitting in a cupboard somewhere, the key point is that the data on it wasn't encrypted," said Chris McIntosh, CEO of public sector security consultancy ViaSat UK.
"When a machine contains highly sensitive information on literally millions of patients, not securing the data on it by any means possible isn't just careless; it's sheer negligence."
Whether the laptop lacked encryption has yet to confirmed but if it wasn't hard questions will be asked of the authority's IT security policies. Best practice compliance mandates encryption on movable devices but that assumes that the presence of the data on the lost machine was allowed in the first place.
Hitherto, the NHS has a fair record of data security when set against the sheer size of the organisation and the tens of millions of patients it deals with. Last October, a Scottish health board was ticked off by the ICO after a boy found a USB stick containing patient records in a car park.
Elsewhere, the NHS has been a big investor in encryption for portable storage, with a coalition of NHS Trusts buying an encryption management system from Swedish company Safestick in 2009. A year earlier, the NHS admitted it was struggling to encrypt patient data.
If confirmed, the latest loss will still be smaller than the notorious 2007 incident when another wing of the UK state, Her Majesty's Revenue and Customs (HMRC) managed to lose 25 million child benefit records on a stack of CDs sent through the post.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts