Haemorrhaging personal data

It would seem that the plague of personal data loss incidents has spread to Irish shores as the Irish Blood Transfusion Service admits to losing a laptop with 170,000 patient records on it.

This incident has all the makings of being a classic – 170,000 blood donors and 3,200 patients lost data after the laptop was stolen in New York. Details of exact information are not yet available, but are likely to emerge as the Service writes to affected patients. This is the second major health data loss to hit the news this week. There are however two significant mitigating factors in this case: firstly, the laptop was lost during a mugging, rather than left on the back seat of a car, in a train or by the bar in a pub. Secondly, the data was on a CD encrypted with an AES-256 algorithm.

What is interesting here is the Irish government’s willingness to disclose the loss even when the data is encrypted to that level. Of course every encryption mechanism can be broken if sufficient expertise and computing power is thrown at it, but is that really likely to happen in this case? Is it in fact possible that they’re concerned that the password was very weak indeed, or (as in the HMRC data loss case), written on a post-it note that was attached to the CD? Certainly in the UK if a public authority loses information that has been encrypted using a CESG-approved system, then the authority is allowed to assume that the data cannot fall into the wrong hands.

The most important issue here is why did that database exist in the first place? If it was encrypted and in the possession of an Irish national then it was probably legal for it to be there, but why did all that information need to be gathered on a single disk? I suspect that this will turn out to be another example of corners being cut in order to save costs, and if that is the case then the Irish Health Minister has some very awkward questions to answer.

[Thanks to Shaun for this story]