You are in:
Lax IT security measures led to NHS data breach in Birmingham, says ICO
NHS Birmingham East and North reported the breach to the ICO in September last year after discovering that electronic files, stored on a shared network, were potentially accessible to their own employees and the employees of two other local Trusts. The files contained information relating to thousands of individuals, including members of staff. Although health records were not compromised as part of the breach, the files also contained some high level information relating to patients.
The ICO’s investigation has found that, while most of the files were not easily accessible and some security restrictions were in place, file security in general was inadequate.
Acting Head of Enforcement, Sally-Anne Poole said: “It’s vitally important that IT networks storing personal information have robust security measures in place. Whilst nobody outside of the Trust environment was able to access the files, problems with the security of the network still led to a situation where sensitive information was potentially available to NHS staff that did not need it to carry out their daily role.
“We are pleased that NHS Birmingham East and North has agreed to improve the security of its network as well as reviewing the processes it follows when handling personal data.”
Denise McLellan, Chief Executive of NHS Birmingham East and North, has signed an undertaking to ensure that adequate technical security measures are in place to prevent unauthorised access to personal data. The Trust will also make sure that comprehensive policies are established regarding the storage and usage of personal data and that staff receive the necessary training on how to follow them.
A full copy of the undertaking can be viewed here.
The view from industry
According to PHS Datashred – one of the UK's leading providers of on-site and off-site shredding for confidential data destruction – this latest case follows 2,565 data breaches recorded since April 2010, when the ICO first had the power to implement fines of up to £500,000. Approximately 59 percent* of all data breaches are related to private companies. However 80 percent of all fines given out have been inflicted on public bodies, showing the serious nature of these issues.
Anthony Pearlgood, commercial director of PHS Datashred, said: “Public sector identity fraud is on the rise; the yearly cost of fraud to the UK has leapt to £38.4 billion**. This is a question of national security, public institutions are now legally bound to protect our records and permanently destroy data when no longer needed. Confidential information is not just limited to physical copies of documents and data on laptops, memory sticks and disks must also be treated in a secure and confidential manner.”
*Figures obtained by encryption specialist ViaSat under the Freedom of Information Act
**Figure from National Fraud Authority
Tips to prevent public sector data leaks
- Create a confidential data policy – if you don’t have one already you are already in the high risk category for being a victim of data theft.
- Store & dispose of data safely – don’t assume that binning it is the end of the matter. Criminals often rifle through bins in car parks where confidential data has been poorly disposed.
- Destroy data properly –. Arrange for a properly accredited company to help store, collect and securely destroy information. Ensure you know where your data is heading. Even better, have your data destroyed on site, using a mobile shredding vehicle and watch the destruction.
- Check identities – use credit reference agencies to verify the identity of your preferred suppliers.
- Secure your accounts – don’t allow bank details to escape into the public domain. Thieves are adept at falsifying signatures.
- Inform staff – train staff on how to deal with confidential data properly and monitor their behaviour. Remember, most fraud is committed by people who work within the organisation.
- Beware of carrying large amounts of confidential data on unencrypted laptops, data sticks or mobile devices such as Blackberrys and iPhones. These small portable gadgets are magnets for thieves who can exploit your confidential information.
