Whittington Hospital NHS Trust says it has accounted for four discs that went missing, which contained the personal details of 17,990 health service staff and former employees. The incident has cost the trust (taxpayers) about £25,000.
Police had been alerted, and the trust held 24 separate briefings for staff over four days, including one on Saturday, 20 September 2008, on the possibilities of identity theft. David Sloman, Chief Executive, wrote "individually" to the 17,900 staff at their home addresses to advise them of the missing data. The trust wrote to them again to let them know the discs had been accounted for. The trust also reported a Serious Untoward Incident. An enquiry had been set up and the Information Commissioner's Office was alerted. Staff were advised to keep a regular check on their bank accounts and statements.
Searches were carried out in all areas of Whittington hospital's salaries and wages office and the post room. The trust is based near the Archway tube station in London. There was also a search of the European headquarters in Warwick of McKesson, the intended recipients of the discs. McKesson runs the MAPS Manpower and Payroll system for the trusts. The Royal Mail was alerted.
In a statement on its website, Whittington prefers the phrase "accounted for" to "found." It says:
"An inquiry held at the Whittington Hospital NHS Trust has concluded that all the missing discs that were thought to be lost have now been accounted for in the finance department at the Whittington. David Sloman, Chief Executive of the Whittington Hospital NHS Trust, said: "Following the detailed scrutiny of the inquiry panel we are clear the discs have now been accounted for and that there is no risk to staff. I apologise for the worry caused to both present and ex-staff."
The missing discs contained information on staff who worked at Whittington Hospital NHS Trust, Camden Primary Care Trust, Islington Primary Care Trust and Camden and Islington NHS Foundation Trust, who were working at any point between April 2001 and March 2008.
By mistake an envelope containing discs with the payroll details of the staff was put in a post tray marked "recorded delivery" on Tuesday 22 July. It was to be sent by the Whittington Hospital's payroll department, which administers the salaries and wages of the trusts, to McKesson, the company that provides a payroll IT service to the NHS. There is no record of the discs having been sent - so they were presumed lost.
Whittington's policy is to send such information by courier. "To the Whittington's knowledge this is the one and only time that such information was sent by post," says the trust. A member of staff has been suspended.
The discs contained the name, date of birth, national insurance numbers, start date, pay details and sickness dates of the staff. There were no personal bank account details.
Although the discs went missing on 22 July, the earliest any member of Whittington staff realised that the package may be missing was 7 August. Even then the loss was not reported to senior officials within the organisation until 5 September. Whittington says: "The Trust is investigating the reasons for this [delay] and an enquiry is underway."
It was not until 15 September that the trust wrote to staff whose details were on the discs. The reason for the delay, says the trust, is that it "needed to ensure that it had a full understanding of the facts and the risks, and to ensure that a comprehensive briefing and staff support system was in place".
Below is the letter the trust sent to staff. (The trust's website refers "discs" but the letter to staff refers to a single disc.) The letter was signed by David Sloman, the chief executive of Whittington Hospital NHS Trust.
"I am sorry to inform you that a disc containing the personal information of current and past staff at the Whittington has gone missing. The data on the disc goes back to April 2001 and was directed via the post in error from our payroll department to our IT payroll supplier at the end of July.
"The disc has an alpha-numeric password on it, which unless found by expert hackers is very difficult to break. The police have been informed and have advised us that this should be treated as a loss and that the associated risk for staff is minimal. Personal bank details were not on the discs. They do contain the name, date of birth, National Insurance number, start date and pay details and sickness dates of all staff and the addresses of some.
"It is Trust policy to send any such information by courier. To our knowledge this is the one and only time that such information was sent by post. We are carrying out a full investigation as to why this happened and will let you know more details when we get them.
"Whilst the investigation work will be ongoing, our immediate concern is that we support all staff who may have any worries about this matter.
"A series of questions and answers are attached along with a sheet on identity theft. We will be holding a series of briefings for staff where you can bring your questions and concerns. A dedicated email contact point has been set up for staff to register their queries, and a response will be provided either by email or by telephone as soon as we can... please wait to email until you have attended one of many briefings arranged ...I hope to see you at one of these meetings. Again I must apologise for this serious breach of confidentiality. I have written to you all individually at your home address but I wanted you to know of this matter as soon as possible."
Hospital finds data discs which sparked identity thieft inquiry - Camden News, September 2008
Trust loses 18,000 staff records - BBC online, September 2008
Trust loses staff records - NO2ID website
Trust loses 18,000 records - US website