Missing NHS discs found - but incident costs £25,000

Whittington Hospital NHS Trust says it has accounted for four discs that went missing, which contained the personal details of 17,990 health service staff and former employees. The incident has cost the trust (taxpayers) about £25,000.

Police had been alerted, and the trust held 24 separate briefings for staff over four days, including one on Saturday, 20 September 2008, on the possibilities of identity theft. David Sloman, Chief Executive, wrote “individually” to the 17,900 staff at their home addresses to advise them of the missing data. The trust wrote to them again to let them know the discs had been accounted for. The trust also reported a Serious Untoward Incident. An enquiry had been set up and the Information Commissioner’s Office was alerted. Staff were advised to keep a regular check on their bank accounts and statements.

Searches were carried out in all areas of Whittington hospital’s salaries and wages office and the post room. The trust is based near the Archway tube station in London. There was also a search of the European headquarters in Warwick of McKesson, the intended recipients of the discs. McKesson runs the MAPS Manpower and Payroll system for the trusts. The Royal Mail was alerted.

In a statement on its website, Whittington prefers the phrase “accounted for” to “found.”  It says:

“An inquiry held at the Whittington Hospital NHS Trust has concluded that all the missing discs that were thought to be lost have now been accounted for in the finance department at the Whittington. David Sloman, Chief Executive of the Whittington Hospital NHS Trust, said: “Following the detailed scrutiny of the inquiry panel we are clear the discs have now been accounted for and that there is no risk to staff. I apologise for the worry caused to both present and ex-staff.”

The missing discs contained information on staff who worked at Whittington Hospital NHS Trust, Camden Primary Care Trust, Islington Primary Care Trust and Camden and Islington NHS Foundation Trust, who were working at any point between April 2001 and March 2008.

By mistake an envelope containing discs with the payroll details of the staff was put in a post tray marked “recorded delivery” on Tuesday 22 July. It was to be sent by the Whittington Hospital’s payroll department, which administers the salaries and wages of the trusts, to McKesson, the company that provides a payroll IT service to the NHS. There is no record of the discs having been sent – so they were presumed lost.

Whittington’s policy is to send such information by courier. “To the Whittington’s knowledge this is the one and only time that such information was sent by post,” says the trust. A member of staff has been suspended.

The discs contained the name, date of birth, national insurance numbers, start date, pay details and sickness dates of the staff. There were no personal bank account details.
Although the discs went missing on 22 July, the earliest any member of Whittington staff realised that the package may be missing was 7 August. Even then the loss was not reported to senior officials within the organisation until 5 September. Whittington says: “The Trust is investigating the reasons for this [delay] and an enquiry is underway.”

It was not until 15 September that the trust wrote to staff whose details were on the discs. The reason for the delay, says the trust, is that it “needed to ensure that it had a full understanding of the facts and the risks, and to ensure that a comprehensive briefing and staff support system was in place”.

Below is the letter the trust sent to staff.  (The trust’s website refers “discs” but the letter to staff refers to a single disc.) The letter was signed by David Sloman, the chief executive of Whittington Hospital NHS Trust.

“I am sorry to inform you that a disc containing the personal information of current and past staff at the Whittington has gone missing. The data on the disc goes back to April 2001 and was directed via the post in error from our payroll department to our IT payroll supplier at the end of July.

“The disc has an alpha-numeric password on it, which unless found by expert hackers is very difficult to break. The police have been informed and have advised us that this should be treated as a loss and that the associated risk for staff is minimal. Personal bank details were not on the discs. They do contain the name, date of birth, National Insurance number, start date and pay details and sickness dates of all staff and the addresses of some.

“It is Trust policy to send any such information by courier. To our knowledge this is the one and only time that such information was sent by post. We are carrying out a full investigation as to why this happened and will let you know more details when we get them.

“Whilst the investigation work will be ongoing, our immediate concern is that we support all staff who may have any worries about this matter.   

“A series of questions and answers are attached along with a sheet on identity theft. We will be holding a series of briefings for staff where you can bring your questions and concerns. A dedicated email contact point has been set up for staff to register their queries, and a response will be provided either by email or by telephone as soon as we can… please wait to email until you have attended one of many briefings arranged …I hope to see you at one of these meetings. Again I must apologise for this serious breach of confidentiality. I have written to you all individually at your home address but I wanted you to know of this matter as soon as possible.”


Hospital finds data discs which sparked identity thieft inquiry – Camden News, September 2008

Trust loses 18,000 staff records – BBC online, September 2008

Trust loses staff records – NO2ID website

Trust loses 18,000 records – US website


Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Dear Editor

I thought I had given up responding to the UK government’s stupidity in not appointing an IT supremo who was really IT knowledgeable and totally independent and free from the corrupt influence of big business.

In the 1970s/80s/90s I was a regular contributor, I was the MD of MHA Associates and Publisher of the Search & Match the first ever 4GL information retrieval system;

Which offered to match anyone’s computer requirement against the whole computer market place, we also offered a Guarantee that our recommended system would match any clients computer needs, each client was offered a Guarantee backed by Lloyds of London to £1m.

Even in those days the NHS could never get it right. I was called in by the Isle of White Health authority because the two senior people considered they were on the wrong track.

I carried out a survey and then asked to present my report to the hospital IT committee,13 members one for every dept, All had either bought or were considering buying totally independent systems, different operating systems, no comm’s between systems,

Each system had to hold its own duplicated patients records, poor report writing ability if at all. The Pathology had a very poor system yet they were proposing to buy 5 similar systems for other pathology dept’s in other hospitals of the group. When I told the rather forcefully what a total mess they were in I was sacked; Much to the two wide awake members who had invited me in and agreed with my advice.

There are so many little Hitler’s in government and commerce who are more interested in personal gain than what is best for company or country.

I could go on but the government have never appointed anyone with the ability to solve the problem, or given anyone the full authority to do so.

My web site was also contracted by the DTI to be the central information source for the proposed OSIS web site, which was to be a free service launched by the NCC and Level7 to help all Open Systems users to select the right solution, It was sponsored by IBM, Bull, ICL it was to be launched by Patrick Mcloughlin Under sec of Trade & Technology on 27th January 1944

Just two weeks before the launch I received a letter saying that due to legal problems they could not use my database.

Unofficially I was told BIG BLUE objected to my systems total unbiased objectivity, the system showed what was best for the enquirer not just IBM or the other sponsors.

I attended the launch and told the Minister the system would fail within months I was laughed off, it failed in 9 months with £14m losses.

I am currently writing a book showing up some of the government’s total ineptitude.


Maurice Hamlin

PS I now publish www.practicalspain.com as a hobby to help other immigrating to Spain avoid the many pitfalls.

Bye, I'm a young retired 84


Maurice nR Hamlin


00 34 96 296 0920