Thieves break hospital security to take laptops

Tags: London Security

19 Jun 2008

Six laptop computers, containing the data of around 20,000 patients have been stolen from a London hospital by thieves who broke into a locked cabinet in a secure room.

The laptops were updated with the patient data following problems with a central computer network at St George’s Healthcare NHS Trust and were stored in offices at the St George’s Hospital in Tooting.

The patient data was password protected with personal information hidden, although the patient’s name and hospital number is visible. A trust spokesperson told E-Health Insider that the data was not encrypted. She added that a police investigation was underway into the theft.

In a statement, the trust said: “Six laptop computers were stolen from offices in Atkinson Morley Wing of St George’s Hospital, Tooting during the weekend between Friday evening (6 June) and Monday morning (9 June) when the theft was discovered.

“The trust immediately contacted police and are working with them on their investigation. The laptops were stored in a secure room in a locked cabinet which appears to have been broken into by force.”

Whilst initial police investigations were underway, the trust waited a week before writing to each of the patients whose data was on the laptop, apologising for the potential risk to their confidentiality. A trust spokesperson told EHI the delay was to allow police time to thoroughly investigate the theft.

The statement said: “The laptops contain information about some 20,000 patients, including their name, date of birth and postcode. The trust acknowledges that patient data should not have been stored on laptops.

“This was done as a temporary measure because of a problem with the computer network. However, the laptops were in a secure area under lock and key. The data was being used to monitor and reduce waiting times at the hospital.”

The trust has begun an internal investigation into the theft and pledged to immediately implement any recommendations regarding security.

Chief executive, David Astley, said: “We offer all our patients our sincere apologies for putting their confidential information at risk, although we could not anticipate a determined thief who was prepared to force open a filing cabinet and locked drawers to get to the laptops.

“We believe the data will almost certainly be wiped by the thief so he can get a quick sale. None the less we owe it to our patients to protect their personal information and we have reminded our staff not to store this kind of data on laptops in the future. We have also set up a helpline for patients to ring for further information.”

The chief executive assured patients that no patient records were missing at the trust and treatment plans would remain unaffected.

“We have not lost any patient data as a result of this incident as the trust still holds their records on a secure central system. This theft will not disrupt any treatments or appointments planned for the patients affected,” he said.

One affected reader told EHI the lack of communication from the trust about the theft deeply concerned them.

“It is beyond belief that they would wait a whole week before telling us that someone could have my medical details in front of them, and know all of my personal details. We should be told about these things straight away, it is after all our data. It deeply concerns me that this seems to have been overlooked by the trust,” she said.

Joe Fernandez

Readers Comments

privacy violations

cpoee1@yahoo.com

19 Jun 08 16:10

Wonderful coverage. Typical administration response including the delay of disclosure and depreciation of the severity of the matter...This is standard fare in the world of health IT. Just another unintended consequence of a flawed system. They may get lost or are missing but how many paper records are stolen?

Cepi

Here we go again.

19 Jun 08 20:57

Once again, we criticise a system because people didn't follow it.

In the commercial sector, this would be summary dismissal. How stupid or arrogant do you have to be to put extremely sensitive information onto insecure devices?

With the exception of the MTAS debacle, almost every 'scandal' we read is the result of negligence by individuals; usually in blatant breach of simple policies.

Come on folks. This isn't difficult. It isn't 'our' information - it's the patients', and falls within the duty of care we all owe them. Anyone proven to be cavalier with this responsibility should expect to face the consequences.

Yes we need to provide more training & awareness, and move away from locally held data on easily nickable kit, but meanwhile, a bit of common sense needs to prevail.

Paper records

19 Jun 08 23:21

"They may get lost or are missing but how many paper records are stolen? " ....ever tried to get a filing cabinet through a window? Isn't it about time that the NHS grew up and started treating confidential information as "CONFIDENTIAL" and those that breach the DPA and laid out procedures are not promoted out of the way - just sack and prosecute them as goes on in the commercial sector?

sanity check

andy.hadley@ferndown.nhs.uk

20 Jun 08 18:05

It appears that the setup of these laptops were a pragmatic response to technical problems with network access to the Patient Systems. We have, following a similar assessment, for a number of years regularly created backups onto CD of essential information to keep patient flows; namely casenote numbers to find the paper casenotes (and latest known location of the notes), and future appointments and admissions. This is sensible resilience planning, and has nothing whatever to do with local versus data centre storage. No electricity, or no network connection hits both equally.

What is suprising given recent problems is the failure to modify their systems to encrypt the data on the laptops.

It also shows that, unlike many commercial premises, it is very difficult in hospitals to consider any location as secure, since the public can waltz through. However, where we experienced thefts, it seemed often to link to the presence of external contractors (IT or building).

The week's wait is also interesting. If you said 'hey you've just nicked patient data' would the thief say 'sorry' and return it, or attempt to sell the data as well as the laptop. Perhaps the lack of publicity made it more likely that the data was destroyed rather than exploited.

not that secure.

stressfreedave@hotmail.com

20 Jun 08 18:20

This story on goes to show that when it comes to protecting data, there will always be people who do not take the threat as serious as they like to claim.

The trust admited that the data should not have been on the lap tops, so why was it there? Yes paper records could have been stolen, but have you tried getting 20,000 paper records in your bag? The advantage a theif has with computers is they can take the whole thing and then go through the records in their own time, not as easy to do with paper records.

When storing patient information it should always be assumed someone will want to steal it, that way your standards have to be high.