Sensitive computer disks handed back to hospital after security alert

Whittington Hospital NHS Trust said it has "accounted for" four missing computer disks

Whittington Hospital NHS Trust said it has "accounted for" four missing computer disks which contained the personal details of 17,990 health service staff and former employees.

The trust alerted police, the information Commissioner's Office and Royal Mail after the disks went missing in July. The incident cost the trust and taxpayers about £25,000,

But it emerged today, that the disks have been handed into the trust's finance department, following a major security alert.

David Sloman, chief executive of the Whittington Hospital NHS Trust, said, "Following the detailed scrutiny of the inquiry panel we are clear the discs have now been accounted for and that there is no risk to staff. I apologise for the worry caused to both present and ex-staff."

The missing discs contained information on staff who worked at Whittington Hospital NHS Trust, Camden Primary Care Trust, Islington Primary Care Trust and Camden and Islington NHS Foundation Trust, who were working at any point between April 2001 and March 2008.

A member of staff mistakenly put an envelope containing the discs in a post tray marked "recorded delivery" on Tuesday 22 July. The disks were to be sent to McKesson, the company that provides a payroll IT service to the NHS. The trust said that there was no record of the discs having been sent, and they were presumed missing.

The trust's chief executive David Sloman held 24 separate briefings for staff over four days on the possibilities of identity theft, following the loss of the disks.

Sloman also wrote "individually" to the 17,900 staff at their home addresses to advise them of the missing data, and the trust advised staff to keep a regular check on their bank accounts and statements.

Searches were carried out in all areas of Whittington hospital's salaries and wages office and the post room. There was also a search of the European headquarters in Warwick of McKesson, the intended recipients of the discs, which runs the MAPS Manpower and Payroll system for the trusts.

Whittington's policy is to send such information by courier. "To the Whittington's knowledge this is the one and only time that such information was sent by post," said the trust.

The discs contained the name, date of birth, national insurance numbers, start date, pay details and sickness dates of the staff. There were no personal bank account details.

A member of staff has been suspended.

Read more on IT risk management