UK government data disasters continues

The UK government’s poor track record of lost laptops and data continued today with news that the NHS has lost 5,123 patient records by a laptop being stolen.

This follows numerous losses; the HMRC loss of two discs, to reports yesterday that the Ministry of Defence had lost personal data of hundreds of soldiers and their families when an officer left his laptop in a pub.

The NHS record has been particularly bad. At the end of last year nine English NHS trusts admitted losing patient records. At the beginning of February the public outcry continued when medical magazine Pulse reported the loss of 4,147 NHS computer “smartcards”.

Now, the loss is of information on patients with a blood disorder contained on a laptop that was stolen from Russells Hall Hospital in Dudley, West Midlands.

Although the laptop was stolen on the 8th January 2008, a statement by the Dudley Group of Hospital NHS Trust was only released yesterday.

The trust said it recognises the loss as a “serious issue”, adding, “We take precautions to try to protect all the I.T equipment in our hospitals from theft, but given that this is a public building with thousands of people accessing it every day, there are inevitable practical difficulties around security.”

“Our security team work very hard to ensure the safety of our staff, patients and visitors, but it is very difficult to mitigate against all deliberate acts of theft,” the statement adds.

The trust argues that accessing the patient information will be difficult because of the database containing the records is password and login protected and a separate trust login and password is required to operate the laptop. The trust said it is assuring its patients with letters.

But Mike Small, CA security director, said, “Whilst it seems there was password protection on the laptop, it’s not clear whether the data was encrypted. Password protection itself isn’t strong enough, because just taking the disk out will get around this security measure straight away.”

Chris Mayers, chief security architect at Citrix, points out other government bodies should consider a total laptop lockdown, which the cabinet officer has issued to the government. “There seems to still be a fundamental failure of proper data protection planning that such sensitive data would ever be transported without special protection.”

The trust argues it is beginning to deploy data encryption software on all trust owned laptops.