Lost NHS medical records: Laptops had unused encryption software

The NHS has suffered another breach, this one compromising 18 million records. Worse yet: The laptops could have been encrypted with already purchased software.

The loss of 20 unencrypted laptop computers at London Health Programmes, a medical research organisation based at the NHS North Central London health authority, could result in the biggest ever health care data breach suffered by the NHS.

If someone wasn't encrypting their laptops, questions should be asked, because they've paid for [the encryption].

David Tomlinson, managing director, Data Encryption Systems

According to a report in The Sun newspaper this week, the laptops went missing in May, and only three have been recovered. One missing machine, which was password-protected but not encrypted, contained details of 8.63 million people and the NHS medical records of 18 million hospital visits, operations and procedures. It has now been reported as stolen to the police.

Although patients’ names were not included, it is feared that individuals could be identified from their post codes, and other details, such as gender, age and ethnic origin.

The loss is just the latest in a long series of breaches suffered by the NHS over the last few years. Back in 2009, the Information Commissioner’s Office issued a public warning to the NHS to tighten up security, saying the number of breaches sustained by the NHS exceeded those in local and central government combined.

In the wake of the latest loss, the Department of Health issued a statement saying all NHS organisations should ensure laptops are encrypted.

So far, the ICO is watching developments, and issued the following statement: “Any allegation that sensitive personal information has been compromised is concerning and we will now make inquiries to establish the full facts of this alleged data breach."

Don Smith, European vice president of engineering and technology for Dell SecureWorks, said in a statement: “The news shows the importance of protecting data and applying basic data protection principles. Personal data is not an abstract commodity and the onus should be on organisations to create the proper culture, policies, processes and procedures for data handling and protection.” 

Christian Toon, head of information risk for Iron Mountain, urged health authorities to improve their whole approach to managing both electronic and paper records. “All public authorities handle sensitive data and need to ensure that they have robust policies and processes in place for managing, storing and tracking information,” he said. “This is not just good practice.  The public have a right to expect that information about them is protected.”

Perhaps the most concerning factor of the breach, however, is that the laptops could have been encrypted all along. David Tomlinson, managing director of Taunton-based Data Encryption Systems, said the NHS has a licence to run McAfee software on all its computers, including the SafeBoot disk encryption product.

"If someone wasn't encrypting their laptops, questions should be asked," he said, "because they've paid for [the encryption]."

Read more on Privacy and data protection