In a brief written announcement issued on its website, the Colchester Hospital University NHS Foundation Trust announced that the manager concerned had been dismissed from his job following an internal investigation and a disciplinary hearing.
The laptop went missing when a thief broke into the manager's car in Scotland on 18 June. At the time, the trust admitted the laptop "contained personal information on several thousand of our patients, amongst many other files of less sensitive data. The lists contained details including patients' names, their date of birth, postcode, hospital number and the hospital procedure the patient was about to undertake." No files were encrypted, although the machine itself was password-protected.
Following the incident, the trust sent out 21,000 letters to patients affected and set up a telephone helpline. It also suspended the manager, who has not been named, from duty.
In this week's announcement the trust's chief executive Peter Murphy says: "The unanimous decision of the disciplinary panel sends out a clear statement about how seriously the Trust takes security and patient confidentiality."
Murphy also apologised for any distress the loss of data might have caused patients, and said he would be taking on a security consultancy to review the trust's procedures.
No senior manager was available to discuss the case, but Melanie Willis, who handles press relations for the trust, said that security policy was laid down by the NHS, and the staff was expected to follow those guidelines. She said that all staff had now been reminded of their duty of care regarding the security of patient information.
The decision to fire the manager was described as "tough" by Jamie Cowper, European head of marketing for encryption company PGP Corp. "I don't know all the details of the case but, unless the guy had been told countless times to remove the stuff off his laptop and ignored the warnings, it does sound a bit severe."
Cowper said that, since there was nothing to suggest the manager was an IT expert, the case underlined the need to take security out of users' hands, wherever possible, and use policy to drive file encryption, for example.
In the case of the lost CDs at Her Majesty's Revenue and Customs last year, when 25 million records of child-benefit recipients went missing, the senior civil servant of the organisation took responsibility and resigned his post. The subsequent report on the events leading up to the loss, which were detailed in the Poynter Report, indicated a general lack of security awareness and a lack of leadership from senior managers. Junior managers involved in the events were cleared of any personal responsibility.