News that the medical records of 8.63 million patients - including details of abortions, HIV infections, cancer and mental illness treatments - have been lost after an NHS laptop went missing in late May has been met with consternation from Venafi, the data security specialist.
According to reports, the apparent theft of the unencrypted laptop from a London NHS building is potentially the biggest data loss incident in the history of the NHS.
This laptop was apparently one of 20 which were ‘lost’ from a store room at London Health Programmes - a medical research facility. According to Jeff Hudson, CEO of Venafi, the loss of the data, the health records, was 100% avoidable. “People will lose or have stolen from them physical items like laptops, that is unavoidable. What is completely avoidable is losing the health records. If they were encrypted, then they would not be readable by the theif or whoever they end up with.” I find it breathtaking, and maddening that the NHS did not encrypt the data on the laptops. It is easy to do, there is excellent technology in place to do it, and if it had been done then 8.63 million people would be feeling completely differently today because their most private information would not be floating around in plain sight." he said.
"With the offending laptop reportedly also containing records of around 18 million hospital visits, operations and patient procedures, this is a very avoidable and serious data loss indeed and likely violates data protection regulations and patient privacy mandates" he added.
Venafi's CEO noted that when David Smith, the Deputy Information Commissioner spoke at the Infosecurity Europe 2010 show just over a year ago, he revealed that the NHS was responsible for one third of all the data breaches his office had investigated.
Hudson said: “These aren’t someone's credit card details - which can be locked down by a bank and simply reissued. It's more than eight million people's' medical records, many of whom will be devastated to find that their most intimate personal details and health histories are potentially up for grabs in the criminal community.”
Hudson said: “News of the magnitude and severity of this loss of citizen’s personal medical information makes me sad and mad. In general those responsible for these kinds of data loss are either incompetent or uneducated about how to avoid these situations. Data must be encrypted at all times, when it is stored, or being moved it must be encrypted. If it is encrypted, then it can’t be lost as it was in this case. The question that must be answered by the NHS is why was this not encrypted and what best practices are being implemented to make sure that going forward all data will always be encrypted?”