Hospital sorry for losing patients' data

Nov 2 2009 By Emma Heseltine

St Peter's Hospital

THE personal details of more than 70 cancer patients have been lost or stolen from Ashford and St Peter's Hospitals NHS Trust.

The information was stored on three portable data sticks, in Microsoft Word format, but was not encrypted.

Now the Information Commissioner has instructed the Trust to store its data more carefully and to make sure staff are properly trained in data protection.

Andrew Liles, chief executive of the trust apologised for the data loss and said: "We are extremely sorry that this incident happened and have apologised to each of the 76 patients concerned.

"We take incidents of this severity extremely seriously indeed and each patient was individually contacted as soon as the data loss became clear. We also wrote to each patient's GP."

Mr Liles has signed an undertaking to confirm that he will make sure personal data is kept more securely in future and that staff receive further training. It has also introduced encrypted memory sticks so that data cannot be read by just anyone.

The trust also set up a temporary telephone helpline for the patients affected, which received 17 calls.

He added: "The safe keeping of patient identifiable data is a top priority for the NHS and and for Ashford and St Peter's. We would like to reassure patients and members of the public that we have learned from this incident and the lesson has been disseminated throughout the organisation.

"Security is always challenging in publicly accessible buildings such as hospitals, but we remain vigilant and are doing all we possibly can to ensure this does not happen again."

Mick Gorrill, assistant commissioner at the ICO said: "I urge all NHS organisations to restrict and encrypt the amount of sensitive information stored on portable devices.

"In this case, our investigation found that there was a lack of understanding and awareness among staff and their responsibilities under the Data Protection Act. I am pleased the trust is implementing a number of changes to alert staff to data protection policies and procedures in the future."

The trust added that the data on the three memory sticks was copied from patients information, and so the original data has not been lost. And the new strategies for data protection will be firmly in place by the end of the year.