Several patient data theft cases were brought to the attention of the Information Commissioner’s Office (ICO) over the last month. Those involved eight desktop computers and four laptops containing sensitive patient details stolen from different hospitals. In most cases, the computer equipment was neither protected with any of encryption means, nor kept physically secure in locked premises, thus, carelessly exposing patients’ mental and physical health details to the risk of unauthorized access or theft.

The first case with Great Yarmouth and Waveney Primary Care Trust (PCT) involved theft of two computers containing unencrypted patient health details and trade union membership data dangerously kept in an office premise that had no intruder alarm or internal door security lock systems. This case is a direct breach of the Data Protection Act, and the trust was requested to take immediate action to set confidential data processing policies in compliance with it.

Another case was the theft of six desktop computers with personal data of 2270 patients of Gloucestershire PCT that were used by medical secretaries for the preparation of referral and diagnosis documents and correspondence. As the ICO reports, the computers were password protected; this, however, does not ensure inaccessibility of data upon the removal of a hard drive. To avoid such a situation, the ICO recommends keeping sensitive data on a local server, but having them encrypted would ensure true data security wherever they are kept.

Maidstone and Tunbridge Wells NHS Trust hospitals had 4 laptops stolen from their premises, with one of the laptops being unencrypted. The unprotected laptop contained audiology test results and personal details of 33 patients recorded between 2003 and 2009 years. The ICO urged the Trust to undertake special measures to address the issue of patient data protection and to ensure their procedures are compliant with the Data Protection Act. Among such are confidential data identification and having encryption software in place and properly applied on all the computer equipment that holds such data.

All of these cases testify of the presence of unwanted attention on the part of someone unconcerned, which presents threats to the privacy of numerous patients who might fall prey to exposure of their confidential data. The fact that such patient records got stolen by intention signal that they are likely to serve someone’s illegal, commercial or selfish purposes and that they must be provided with due protection by healthcare institutions holding possession thereof.