Haemorrhaging personal data

It would seem that the plague of personal data loss incidents has spread to Irish shores as the Irish Blood Transfusion Service admits to losing a laptop with 170,000 patient records on it.

This incident has all the makings of being a classic – 170,000 blood donors and 3,200 patients lost data after the laptop was stolen in New York. Details of exact information are not yet available, but are likely to emerge as the Service writes to affected patients. This is the second major health data loss to hit the news this week. There are however two significant mitigating factors in this case: firstly, the laptop was lost during a mugging, rather than left on the back seat of a car, in a train or by the bar in a pub. Secondly, the data was on a CD encrypted with an AES-256 algorithm.

What is interesting here is the Irish government’s willingness to disclose the loss even when the data is encrypted to that level. Of course every encryption mechanism can be broken if sufficient expertise and computing power is thrown at it, but is that really likely to happen in this case? Is it in fact possible that they’re concerned that the password was very weak indeed, or (as in the HMRC data loss case), written on a post-it note that was attached to the CD? Certainly in the UK if a public authority loses information that has been encrypted using a CESG-approved system, then the authority is allowed to assume that the data cannot fall into the wrong hands.

The most important issue here is why did that database exist in the first place? If it was encrypted and in the possession of an Irish national then it was probably legal for it to be there, but why did all that information need to be gathered on a single disk? I suspect that this will turn out to be another example of corners being cut in order to save costs, and if that is the case then the Irish Health Minister has some very awkward questions to answer.

[Thanks to Shaun for this story]

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Shaun's kindly provided some more information on this one: 1. The database was sent in encrypted form to the New York Transfusion Service, so that they could test a replication of their own data management system before selling back to the Irish. The database had been copied over to the CD/laptop, which belonged to an employee of the NYTS – no-one has yet confirmed whether or not the copied database had also been encrypted. 2. The employee had taken the database home to work on it and was mugged entering his/her apartment, which suggests that he/she may have been targeted (a favourite for the conspiracy theorists). 3. The Irish Blood Transfusion Service stated on radio that the database included names, PPS numbers (same as Nat Insurance numbers), telephone numbers and blood groups. 4. The feeling here is that there is no specific threat to the Irish public resulting from the theft (mainly because the Irish are not really considered to be a threat to anyone internationally). However, if the database was successfully unlocked and published on the web, there would be 170,000 lawsuits under the Data Protection Act.