Colchester manager sacked over lost laptop

11 Aug 2008

A senior hospital manager, who lost a laptop containing the unencrypted records of more than 20,000 patients while he was on holiday, has been dismissed from his position.

The manager from Colchester Hospital University NHS Foundation Trust, lost the laptop in Edinburgh in June, and was initially suspended while a police investigation and an internal inquiry was conducted.

Last Friday, the un-named manager was summoned to a disciplinary hearing, where the trust decided to terminate his employment.

Peter Murphy, the trust’s chief executive, said: “Following a disciplinary hearing after a detailed investigation, the senior manager whose hospital laptop computer was stolen has been dismissed from the trust with immediate effect.

“The unanimous decision of the disciplinary panel sends out a clear statement about how seriously the trust takes security and patient confidentiality. I again apologise for the distress the theft of this laptop may have caused.”

The trust says it is now completing an investigation report into the incident. Murphy added: “We will be engaging an external consultancy to carry out an independent assessment of the trust’s procedures and protocols on data security.”

In May, NHS Connecting for Health selected security software specialist McAfee to provide solutions for endpoint desktop encryption and port control, to protect confidential data on NHS computers and mobile devices.

However, the Department of Health has said it will take at least six months for every trust to complete the rollout of encryption.

Joe Fernandez

Reader's Comments

Security?

11 Aug 08 13:40

Actually the unanimous decision of the disciplinary panel shows how much more work is needed on security within the NHS.

Security people are strange: We can't walk into a shop without thinking about how to steal things; we can't vote in an election without thinking about how to do it multiple times; we can't log onto a computer terminal without thinking about how to steal all the data and how much money we could make from doing it.

It's the job of security people to ensure that everybody else doesn't have to think about these things. There is no way a non-security person should have unrestricted access to 20,000 patient records because he isn't trustworthy - he could leave it in his car while on holiday because he doesn't spend his life thinking about the threats.

Unfortunately, it seems the trust is more interested in finding a scapegoat for their data breach than improving its security so that such breaches cannot happen again.

Scapegoat or not?

12 Aug 08 13:26

If it was proven in the hearing that the member of staff had attended appropriate training and made aware of issues, then they aren't necessarily being made a scapegoat, they may well carry some of the blame.

Unless you were present at the panel, your making quite an assumption that the reason behind this was poor technical/organisational security, without considering that the user could have been at least in someway at fault. Why was the laptop taken on holiday!?

Not quite the solution we thought it was ......

13 Aug 08 14:34

"In May, NHS Connecting for Health selected security software specialist McAfee to provide solutions for endpoint desktop encryption and port control, to protect confidential data on NHS computers and mobile devices."

Interesting paragraph, particularly when you find out that the scope of the project was to protect "data at rest" whereas any, wet behind the ears, Information Security practitioner will tell you that the biggest risk is from "data on the move".

That is why we all had to identify and, if necessary, suspend TRANSFERS of personal data in unencrypted form.

Good grief! we have to spend an additional £70k just to plug the holes that the CfH solution fails to address.

Why 20,000?

14 Aug 08 20:22

The whole story leaves me feeling slightly uneasy somehow. To start with - why 20,000 records? It sounds very much like some sort of audit or analysis. This happened in June - warnings came out in May: when were the records downloaded, and why hadn't security at Colchester made sure that, if my assumption that this was some sort of official project is correct, encryption had been applied to downloads? Why was the laptop in Edinburgh? holiday or Trust work - and if holiday, what is the culture in Colchester which demands that holidays should be occupied working on files which should never have been moved out of the Trust? If work and official, why hadn't proper security been applied at download? I agree that, seeing the attitude of the DH, there would have to be some sort of an internal procedure and a few scalps - but was one of the issues that of bringing the Trust into disrepute with the DH & SoS?

It's a step in the right direction!

max.lock@live.co.uk

15 Aug 08 16:29

This Trust, have obviously investigated this incident thoroughly and have had to make a difficult decision in dismissing one of their senior managers. I have to say that I entirely agree with their actions. Trusts have to demonstrate that data and hardware loses will not be tolerated. The cost is not only in pounds and pence for replacement of this member of staff and the hardware, but also in the loss of Patient confidence with regards to the NHS’s ability to safeguard their data. If heads must role, then role they should, until security is a primary concern to all staff, not just an after thought.

Scapegoat?

stressfreedave@hotmail.com

15 Aug 08 17:18

Although I should be pleased the trust took the breach seriousley, I cant help wonder about what happened to the person/people that set up a system that allowed the information to be downloaded. It does seem a bit like a PR stunt by the trust, perhaps they should be looking at how the manager got the data and why he had to take it away with him.

I also have to wonder about training people are given. As mentioned before, security people think about how to protect data from being stolen all the time but I have rarley come across NHS health workers that have got any idea about how to stop data being stolen (one nurse I seen had the compuer screen in such a way as you could see the name of the next patient and she left the room to get something without switching it off. It was at that point I became really pleased my GP had agreed to keep my records on paper and only give the nurse limited information about me).

Because of an issue I had with an NHS trust and a GP practice in the NorthWest I managed to get hold of the audit trail, but the audit trail was ether incompleat or it was possible for practices in the area and some staff at the hospital to access the data without it showing up on any audit trail. In other words it might have been possible to sownload the data without anyone finding out, not really that secure (I can provide a copy of the audit trail I was sent)

Interesting and encouraging news

18 Aug 08 16:48

It's nice to see trusts are finally treating this kind of behaviour as seriously as it should be. As mentioned previously, we can't know the points raised during the disciplinary proceedings, but will the findings of the security review be publish so patients can see that problems are addressed rather than forgotten behind a lengthy and expensive PR exercise?

The readers poll asking if people should be sacked for losing unencrypted could perhaps be expanded in scope - "should people be disciplined for having PI data on an unencrypted device?" During a recent outpatient visit to the local teaching hospital, I saw many memory sticks being carried around on keychains - when I asked if these were encrypted I usually received blank looks, though the best answer was "I don't need to encrypt it, I'm not going to lose it". Ten minutes later I was talking to the head of the IT department, being told that they were sure every portable device was encrypted... Are the poor IT and data protection guys trying to break through brick walls with their foreheads here? It appears, in this hospital at least, that data security is being viewed as an obstruction to work and ignored as much as possible.

"Good grief! we have to spend an additional £70k just to plug the holes that the CfH solution fails to address. " Just what exactly have you spent this money on, and which holes are you plugging?