DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

UK: Patients kept in the dark as hundreds of records go astray

Posted on March 25, 2008 by Dissent

David Higgerson of the Liverpool Daily Post reports:

THE records of hundreds of Merseyside patients have gone missing from the region’s hospitals and surgeries over the past two years.

Many of the incidents – including one where the names, partial addresses and door access codes to sheltered accommodation were taken – have prompted changes in working practices at health trusts across the area.

A number of the patients involved will be unaware their information had been lost. In one case involving Liverpool PCT, a patient only discovered their file was missing after a solicitor asked to see it.

Several of the cases involve data going missing in the post, including one incident where a ripped envelope arrived at its destination without the CD containing patients’ data which had been inside it.

And at one trust, the Countess of Chester Hospitals, records of several patients were found to have been thrown away.

Until now the only reported data breach in the region has been when the personal details of staff at Sefton PCT were accidentally released.

But an investigation by the Daily Post, using the Freedom of Information Act, has revealed the loss of 230 records by health staff in the region.

More than half of the trusts which replied to a request for information confirmed they had lost data.

It is also revealed that the largest data loss – 100 records held on a “memory stick” by Liverpool Primary Care Trust, was not reported to the patients involved.

According to the PCT, the memory stick was lost or stolen in an office, and could not be located.

A spokesman said: “The data stick was encrypted. The appropriate manager completed an incident form and a management report.

“As a result of the loss, procedures were changed and patient information is no longer stored on portable data storage devices.

“The PCT did not inform the patients involved as the data stick was encrypted.”

The second single largest loss of data was reported by Halton and St Helens Primary Care Trust where a book used by weekend district nurses was “mislaid”. It contained names and partial addresses of patients, plus the access codes to get into communal accommodation, such as sheltered housing.

A spokesman for the PCT said: “An extensive search of the locations and offices used by the District Nursing teams was undertaken, but the communication book has not been found at present.

“The communication book contained as routine, the patient’s name and partial address. However, for three patients, there was a four-digit door access code recorded.

“We arranged for their access codes to be changed. In addition, we sent each of those three patients a letter, informing them of the reason the code was being changed.

“As a result of this incident, we reviewed the use of this type of communication book and as a result we have taken it out of operational use.”

The Royal Liverpool Children’s Hospital – Alder Hey – confirmed it had been forced to remind staff not to take patient files homes after one was stolen. It reported the highest number of data loss cases – five – but each only involved one patient.

Sefton PCT – which had been included on a government list of NHS data losses after staff details were inadvertently released – was one of three organisations to confirm data had gone missing in transit.

Both Alder Hey and the Liverpool Women’s Hospital said documents sent in the regular post never arrived, while Sefton PCT blamed the theft of a courier’s vehicle for files belonging to several children going missing.

A spokesman for Sefton PCT said: “People in Sefton can be confident that the Primary Care Trust looks after patient data very carefully and takes any breach or loss very seriously.

“We have strict policies and procedures about how data is used within the organisation and what happens in the event of an incident.

“The PCT employs the use of an incident reporting system to ensure incidents are reported, fully investigated and that lessons learned are cascaded within the PCT.

“Both incidents were investigated fully and reported to the Strategic Health Authority.”

Opposition politicians said the cases proved that data losses were now a regular occurrence and not just restricted to several high-profile cases, such as the loss of 25m child benefit files last year.

Shadow health secretary Andrew Lansley said: “The problem is endemic.

“The Government has been serially incompetent in looking after people’s personal data.

“People need to feel like they can trust the Government when they hand over personal data.”

Joyce Robins, from the patient support group Patient Care, said: “Health records can have anything from your ex-directory phone number to your HIV status.

“I think it’s the tip of the iceberg because there’s such carelessness within the NHS and it’s always impossible to hold anyone to account and find out who’s actually done anything.”

But a spokesman for the Department of Health said “There is no evidence of any data falling into the wrong hands.

“Patients are informed if it is appropriate to do so. Action will be taken against anyone who has failed to fulfil their legal responsibilities.’’

Category: Health Data

Post navigation

← Congress probes stolen laptop with 2,500 heart patients' names
Practicing Patients →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Masimo Manufacturing Facilities Hit by Cyberattack
  • Education giant Pearson hit by cyberattack exposing customer data
  • Star Health hacker claims sending bullets, threats to top executives: Reports
  • Nova Scotia Power hit by cyberattack, critical infrastructure targeted, no outages reported
  • Georgia hospital defeats data-tracking lawsuit
  • 60K BTC Wallets Tied to LockBit Ransomware Gang Leaked
  • UK: Legal Aid Agency hit by cyber security incident
  • Public notice for individuals affected by an information security breach in the Social Services, Health Care and Rescue Services Division of Helsinki
  • PowerSchool paid a hacker’s extortion demand, but now school district clients are being extorted anyway (3)
  • Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Google agrees to pay Texas $1.4 billion data privacy settlement
  • The App Store Freedom Act Compromises User Privacy To Punish Big Tech
  • Florida bill requiring encryption backdoors for social media accounts has failed
  • Apple Siri Eavesdropping Payout Deadline Confirmed—How To Make A Claim
  • Privacy matters to Canadians – Privacy Commissioner of Canada marks Privacy Awareness Week with release of latest survey results
  • Missouri Clinic Must Give State AG Minor Trans Care Information
  • Georgia hospital defeats data-tracking lawsuit

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.