UK Health Breach Affects 8.6 MillionMissing Laptop Was Not Encrypted
The information on the laptop does not include names, but patients could be identified from postcodes and details such as gender, age and ethnic origin, the newspaper reports. The computer stored records of 18 million hospital visits, operations and procedures. The missing records include details of cancer, HIV, mental illness and abortions, according to the newspaper.
The laptop is one of 20 computers missing from a storage room at London Health Programmes, a medical research organization based at the North Central London location. Eight have been recovered, the newspaper reports. Although the incident was reported to authorities as a theft, it's not yet clear if the laptops were stolen, misplaced or dumped.
The Information Commissioner's Office, the UK's independent authority created to uphold information rights, issued a brief statement, as first reported in the U.S. on phiprivacy.net: "Any allegation that sensitive personal information has been compromised is concerning, and we will now make inquiries to establish the full facts of this alleged data breach."
The Register, a British technology news website, reported that when it asked authorities why they needed to store so many records on an unsecure computer, NHS North Central London officials replied that one of the missing computers "was used for analyzing health needs requiring access to elements of unnamed patient data. All the laptops were password protected, and our policy is to manually delete the data from laptops after the records have been processed. NHS North Central London operates under strict data protection guidance and is taking the matter extremely seriously. We have started an investigation into the issues raised by the loss. We are liaising with the office of the Information Commissioner."
Discouraging NewsSecurity expert Kate Borten, president of The Marblehead Group, says: "It's not shocking, but it's discouraging that an organization such as the NHS somehow permitted such sensitive information - not just medical records, but mental health, abortion and HIV records - to be stored on a portable device without encryption. However, unless the UK government takes significant action against the NHS for this serious breach, which is not likely, the message to the U.S. healthcare industry is lost."
Too many healthcare organizations still have a sense that a breach "won't happen to us," Borten says. "Maybe the only thing that will cause all organizations to implement obvious security measures, such as encryption on portables, will be a breach that has a horrible impact on patients who then bring legal action and major publicity that doesn't fade away after a week."
The UK incident illustrates, unfortunately, that "security is not a priority," says security consultant Mac McMillan, CEO at CynergisTek. "If it was a priority, we would never, ever put more than 8 million records on a laptop. You would think someone would have asked the question: 'Do the health records on more than 8 million individuals belong on a device that can be lost or stolen?'"
To emphasize the enormity of the UK breach, McMillan points out that a combined total of about 11 million Americans have been affected by all of the nearly 290 major health information breaches reported in the United States since September 2009, when the HITECH Act breach notification rule took effect, according to the HHS Office for Civil Rights.
Healthcare organizations should carefully consider whether any patient information should be stored on mobile devices, he stresses. And if such data is stored, it's essential to encrypt it, he adds.