Nmedia - Fotolia
The trust sent a letter of apology to all those affected after a member of the public found the memory stick that had been left by a member of staff behind a hospital building, reports the BBC.
The data on the memory stick was not password-protected, but the trust said it took data security "extremely seriously" and the loss was an "isolated incident".
East Sussex Healthcare NHS Trust chief executive Darren Grayson said the memory stick belonged to a member of staff and was not compliant with trust policy that mandates encryption.
Security experts have warned that such data is valuable to criminals who can use it to commit fraud and other crimes enabled by identity theft.
David Juitt, chief security architect at security software firm Ipswitch, said this incident illustrates that data breaches are often not the result of a sophisticated hack.
“The stark reality is that, according to the Online Alliance Trust, last year almost one-third of data breaches were caused either accidentally or maliciously by employees,” he said.
Juitt said the way that files are shared and moved is key in securing the data in transit. “A memory stick is as easy to lose as a pen. An unencrypted memory stick with personal and sensitive health data on it is more than careless, it is negligent,” he said.
By automating, managing and controlling all file transfers from a central point of control, Juitt said employees are able to easily send and share files using IT-approved methods.
“The IT department also gains complete control over activity. It’s no longer good enough just to have the right policies in place for secure data transfer, an organisation must ensure it has the right file-transfer technologies, security systems, processes and, most importantly, staff training,” he said.
Luke Brown, vice-president and general manager for Europe security firm Digital Guardian, said human error is something that many organisations forget about when working with sensitive data. “Looking within your organisation for potential threats to data security is imperative,” he said.
Brown said there are numerous technologies designed to combat human error and small investments can go a long way.
“When organisations deploy technology that protects data at source, it removes the risk factor associated with human error and insider threats. Furthermore, employees quickly become aware of the impact of their actions, leading to rapid behavioural changes,” he said.
According to Brown, within just a month or two of deploying data-centric security systems, organisations typically see a dramatic drop in staff-related data breaches.
Read more about insider threats to data security
- How can organisations increase security without affecting productivity or encroaching on employees’ right to privacy?
- The threat to an organisation’s data security from within its workforce requires a considered and objective approach
- Enterprises may be increasingly aware of insider threats and believe they can find and stop them, but a new SANS Institute survey suggests they may be overconfident and lack the necessary insider threat-detection
- Most insider attacks to enterprises are accidental, not intentional. SANS Faculty Senior Fellow Eric Cole, Ph.D., explains why security awareness training isn't enough