Incident Type. Non Complia nt Orgs as of 31st Mar 2012

Transcription

1 Data Loss Indicator Information Governance/Data Loss Indicator This following table and graph provide details of incidents by month, broken down by type of incident, and the latest published IG Toolkit performance in terms of number of organisations that are a) fully compliant, b) compliant with key security requirements and c) non-compliant. Cluster LONDON Organisation Types Number of Orgs IG Toolkit Compliance Fully Complia nt Orgs as of 31st Mar 2012 Security Complia nt Only Orgs as of 31st Mar 2012 Non Complia nt Orgs as of 31st Mar 2012 Incident Type I Loss/Theft from secured IV Unauthorised II Loss/Theft from outside secured V Other III Unsecure disposal of data No of Incidents for the quarter ( to No of Incidents for Jul-11 to Jun-12 Jun-12) by Type I II III IV V I II III IV V Commissioner Provider Commissioner Provider NORTH Commissioner Provider SOUTH Commissioner Provider Other bodies where incidents have occurred Sub Total Total Key: Fully Compliant as of 31st Mar 2012: Organisations have achieved level 2 or 3 across all IGT Requirements Security Compliant Only as of 31st Mar 2012: Organisations have achieved level 2 or 3 across all Key Information Security Requirements Non Compliant as of 31st Mar 2012: Organisations have not met minimum level 2 on one or more requirements 1

2 ANNEX A Data Loss Incidents within the Quarter Apr - Jun 2012 Date of Incident Cluster Organisation Name ICO Grade (I, II, III, IV,V) Volume Format (Paper/Digital/Other) Summary of Incident NORTH Mid Yorkshire Hospitals NHS Trust 26 Paper Patient discharge details of 26 patients inadvertently included in discharge medication package. Bedford Hospital NHS Trust 111 Paper A Community midwife had her car stolen. Maternity records containing patient information were in the care. Birmingham And Solihull Mental Health NHS Foundation Trust 48 Paper A brief case was stolen from the boot of a CPN's car overnight, found in a local park and there is a possibility that a caseload list containing patient names and addresses has been taken. 2

3 Incident Cluster Organisation Name ICO Grade (I, II, III, IV,V) Volume Format (Paper/Digital/Other) Summary of Incident East of England Ambulance Service NHS Trust 1650 Digital 1650 patient identifiable records stored on the Falls Register distributed to 7 individuals internal and external to the Trust via secure NHS mail. However, this was an inappropriate distribution to the wrong individuals. Ipswich Hospital NHS Trust I - Loss/theft from secured Unknown Paper A patient list was left at a patient bedside and removed from the Trust site by a patient s relative. Peterborough And Stamford Hospitals NHS Foundation Trust 38 Paper A ward list containing 38 patient's personal and clinical details was included in a patient's take-home discharge information. The Royal Wolverhampton Hospitals NHS Trust 1 Paper Confidential child protection report of a patient was left in the home of another patient who lived in the same street. Worcestershire Acute Hospitals NHS Trust 13 Paper A sheet containing clinical/patient identifiable information found by a member of the public in the A&E Car Park. SOUTH BUPA Home Healthcare 40 Digital Loss of inadequately protected laptop from outside secured NHS. SOUTH Royal Cornwall Hospitals NHS Trust 70 Paper Midwifes notebook with 70 patient s SPD was stolen from her house. 3

4 Incident Cluster Organisation Name ICO Grade (I, II, III, IV,V) Volume Format (Paper/Digital/Other) Summary of Incident NORTH Bury PCT I - Loss/theft from secured 45 Digital USB stick used to transfer records from ultrasound machine to laptop is missing from AAA service at Wythenshawe Hospital. NORTH Southport and Ormskirk Hospital NHS Trust 32 Paper Trust vehicle stolen. It contained 4 patient s medical records 1 employee personnel record and 27 patient referral letters SOUTH Isle of Wight NHS PCT 100+ Paper Bag containing encrypted laptop and files with clinical/patient identifiable information found at bus stop by member of the public. LONDON NHS Shared Business Services Ltd obo The Royal Marsden NHS Trust I - Loss/theft from secured 1000 Paper Batch of payslips stolen from courier. NORTH Dr Moss and Partners I - Loss/theft from secured 25 Digital Lost USB stick containing 25 DS low risk data. Shrewsbury & Telford NHS Trust 1 Paper A patient was presented with a set of notes and consent form which belonged to a relative, disclosed in error by the fertility department. West Essex PCT Unknown Digital Member of staff put slightly amended patient details on Facebook. 4

5 Incident Cluster Organisation Name ICO Grade (I, II, III, IV,V) Volume Format (Paper/Digital/Other) Summary of Incident SOUTH Kent Community Health NHS Trust I - Loss/theft from secured 183 Paper Unable to locate 183 patient files (inc deceased patients). SOUTH Oxford Health NHS Foundation Trust Unknown Digital List of DS Sensitive data sent to all GP Practices in the area instead of separately per practice. SOUTH Southern Health NHS Foundation Trust Paper A4 ring binder left on pay machine at a multi storey car park. Jun-12 LONDON Camden PCT 207 Digital E mail to GP's including PD of other GP surgeries. Jun-12 NORTH Barnsley Hospital NHS Foundation Trust Unknown Paper Letters sent to patients instead of GP including letters about other patients. Jun-12 NHS Coventry V - Other Unknown Unknown Premature destruction of deceased patient records. Jun-12 Worcestershire Acute Hospitals NHS Trust 20 Paper Pathology reports containing sensitive results for 18 patients were inadvertently sent to a Payroll Department. Jun-12 SOUTH NHS Surrey III - Unsecure disposal of data 4650 Digital Hard drive sent to contractor for destruction sold on ebay. 5

6 Incident Cluster Organisation Name ICO Grade (I, II, III, IV,V) Volume Format (Paper/Digital/Other) Summary of Incident Jun-12 SOUTH Southern Health NHS Foundation Trust 30 Other Dictaphone lost in park containing details of therapy sessions. Jun-12 N/A General Medical Council Unknown Other Hearing transcript sent via to the wrong recipients. Jun-12 N/A The Leiston Surgery I - Loss/theft from secured 4 Other Missing video camera with footage of patients. 6

7 Appendix A: ICO Action April 2011 to August 2012 Date of Prosecutions 12-Jan-12 A former health worker has pleaded guilty to unlawfully obtaining patient information by accessing the medical records of five members of her ex-husband s family in order to obtain their new telephone numbers A receptionist who unlawfully obtained her sister-in-law s medical records in order to find out about the medication she was taking has been found guilty of an offence under section 55 of the Data Protection Act. 01-Jun-11 A personal injury claims company employee has been prosecuted for illegally obtaining NHS patients information Monetary Penalties 06-Aug Jul Jun Jun Jun A monetary penalty of 175,000 was issued to Torbay Care Trust after sensitive personal information relating to 1,373 employees was published on the Trust s website. A monetary penalty of 60,000 was issued to St George s Healthcare NHS Trust after a vulnerable individual s sensitive medical details were sent to the wrong address. A monetary penalty notice of 225,000 has been served to Belfast Health and Social Care Trust following a serious breach of the Data Protection Act. The breach led to the sensitive personal data of thousands of patients and staff being compromised. The Trust also failed to report the incident to the ICO. A monetary penalty for 90,000 has been served to Telford & Wrekin Council for two serious breaches of the seventh data protection principle. A Social Worker sent a core assessment report to the child s sibling instead of the mother. The assessment contained confidential and highly sensitive personal data. Whilst investigating the first incident, a second incident was reported to the ICO involving the inappropriate of foster carer names and addresses to the children s mother. Both children had to be re-homed. A monetary penalty notice for 325,000 has been served on Brighton and Sussex University Hospitals NHS Trust following the discovery of highly sensitive personal data belonging to tens of thousands of patients and staff including some relating to HIV and Genito Urinary Medicine patients on hard drives sold on an Internet auction site in October and November A monetary penalty notice for 90,000 has been served on Central London Community Healthcare NHS Trust for a serious contravention of the DPA, which occurred when sensitive personal data was faxed to an incorrect and unidentified number. The contravention was repeated on 45 occassions over a number of weeks and compromised 59 data subjects' personal data. A monetary penalty of 70,000 was issued to the London Borough of Barnet following the loss of sensitive information relating to 15 vulnerable children or young people, during a burglary at an employee s home. 7

8 30-15-Feb Feb Feb Jan Dec Nov Nov Jun Feb Feb-11 A monetary penalty of 70,000 has been issued to the Aneurin Bevan Health Board following an incident where a sensitive report - containing explicit details relating to a patient s health - was sent to the wrong person. A monetary penalty of 80,000 has been issed to Cheshire East Council after an containing sensitive personal information about an individual of concern to the police was distributed to 180 unintended recipients. A monetary penalty of 100,000 has been issed to Croydon Council after a bag containing papers relating to the care of a child sex abuse victim was stolen from a London pub. A monetary penalty of 80,000 has been issed to Norfolk County Council for disclosing information about allegations against a parent and the welfare of their child to the wrong recipient. A monetary penalty of 140,000 was issued to Midlothian Council for disclosing sensitive personal data relating to children and their carers to the wrong recipients on five separate occasions. The penalty is the first that the ICO has served against an organisation in Scotland. A monetary penalty of 130,000 was issued to Powys County Council for a serious breach of the Data Protection Act after the details of a child protection case were sent to the wrong recipient. A monetary penalty of 60,000 was issued to North Somerset Council for a serious breach of the Data Protection Act where a council employee sent five s, two of which contained highly sensitive and confidential information about a child s serious case review, to the wrong NHS employee. A monetary penalty of 80,000 was issued to Worcestershire County Council for an incident where a member of staff ed highly sensitive personal information about a large number of vulnerable people to 23 unintended recipients. A monetary penalty of 120,000 was issued to Surrey County Council for a serious breach of the Data Protection Act after sensitive personal information was ed to the wrong recipients on three separate occasions. A monetary penalty of 80,000 was issued to Ealing Council following the loss of an unencrypted laptop which contained personal information. Ealing Council breached the Data Protection Act by issuing an unencrypted laptop to a member of staff in breach of its own policies. A monetary penalty of 70,000 was issued to Hounslow Council following the loss of an unencrypted laptop which contained personal information. Hounslow Council breached the Act by failing to have a written contract in place with Ealing Council. Hounslow Council also did not monitor Ealing Council s procedures for operating the service securely. Undertakings 13-Jul-12 West Lancashire Borough Council. This follows the theft of a business continuity bag containing emergency response documents and personal data relating to 370 council employees. 8

9 Mar Mar Mar Mar Feb Feb Feb Feb-12 the Aneurin Bevan Health Board. This follows an incident where a sensitive report - containing explicit details relating to a patient s health - was sent to the wrong person. This breach was also the subject of a monetary penalty. Leicestershire County Council, following the theft of a briefcase containing sensitive personal data from a social worker s home. Hertfordshire County Council. This follows the loss of an Attendance and Pupil Support consultation folder in January South London Healthcare NHS Trust. This follows the loss of two unencrypted memory sticks, the leaving of a clipboard with ward lists attached in a grocery store and a failure to adequately secure some patient paper files when not in use. All of the information was recovered. An Undertaking has been signed by Pharmacyrepublic Ltd following the theft of a patient medication system containing the medication details of 2000 patients. The system, which was supplied by another firm, should have been securely returned to them by Pharmacyrepublic Ltd before the were vacated. Community Integrated Care, a national social care charity. This follows the theft of an unencrypted laptop containing personal and sensitive personal data. An Undertaking to comply with the seventh data protection principle has been signed by London Borough of Croydon. This follows the theft of a bag belonging to a social worker from a public house in London. The bag contained a hard copy file of papers concerning a child who is in the care of the Council. This incident was also subject to a monetary penalty which was announced earlier this month. Dr Pervinder Sanghera of Arthur House Dental Care. This follows the discovery of an unencrypted memory stick containing personal and limited sensitive personal data relating to patients and employees of the practice. Healthcare provider Turning Point has signed an undertaking committing the organisation to take action after the loss of three service users files during an office relation. Five local authorities have signed undertakings to comply with the seventh data protection principle, following incidents where the councils failed to take appropriate steps to ensure that personal information was kept secure. Basingstoke and Deane Borough Council breached the Data Protection Act on four separate occasions during a two month period last year. The breaches included an incident in May when an individual was mistakenly sent information relating to 29 people who were living in supported housing. Brighton and Hove Council ed the details of another member of staff s annual salary - and the deductions made from this - to 2,821 council workers. A third party also informed the ICO of a historic breach which occurred in May 2009 when an unencrypted laptop was stolen from the home of a temporary employee. 9

10 10-Feb Jan Nov Nov Nov Oct Oct Oct Oct Sep Sep Sep-11 Undertakings have been signed by Dacorum Borough Council, Bolton Council and Craven District Council. Praxis Care Limited breached both the UK Data Protection Act and the Isle of Man Data Protection Act by failing to keep peoples data secure. An unencrypted memory stick, containing personal information relating to 107 Isle of Man residents and 53 individuals from Northern Ireland, was lost on the Isle of Man. An undertaking to comply with the seventh principle of the DPA has been signed by The London Borough of Southwark, further to the inappropriate disposal personal of an imac computer and paper records. The matter was brought to the attention of the ICO when the afore mentioned items were found by a member of the public in a skip being used to cleanse a decommissioned and vacant property, which was part of a complex previously owned by the data controller. A substantial volume of sensitive personal data relating to around 7,200 individuals was contained on the imac and within the paper records detailing ethnicity, medical history and criminal convictions. An undertaking has been signed by Central Essex Community Services after the loss of a birth book containing information about the general health of 249 mothers and their babies. The book which should have been stored in a locked filing cabinet was stored on top of the cabinet in a locked room due to no secure storage space being available. The book has never been recovered. the chief executive of Rochdale Metropolitan Borough Council. This follows an incident earlier this year in which an unencrypted USB stick containing some personal data relating to thousands of local residents was lost. An Undertaking to comply with the seventh data protection principle has been signed by University Hospitals Coventry & Warwickshire NHS Trust. This follows two separate incidents involving the loss of personal data by the Trust. Dumfries and Galloway Council. This follows the accidental online of current and former employee s personal data in response to a Freedom of Information (Scotland) Act request. An undertaking has been signed by Dartford and Gravesham NHS Trust following the accidental destruction of 10,000 archived records. The records which should have been kept in a dedicated storage area were put in a disposal room due to lack of space. An undertaking has also been signed by Poole Hospital NHS Foundation Trust after two diaries containing information relating to the care of 240 midwifery patients - were stolen from a nurse s car. The diaries included patients names, addresses and details of previous visits and were used by the nurse during out of hours duty. An undertaking to comply with the third and seventh data protection principles has been signed by Eastleigh Borough Council. This follows the potential of a document containing sensitive personal data. Royal Liverpool & Broadgreen University Hospitals NHS Trust. This follows two separate incidents involving the loss of personal data by the Trust. An Undertaking to comply with the seventh data protection principle has been signed by Eastern and Coastal Kent Primary Care Trust. This follows the loss of a CD containing personal data during a move of office. 10

11 09-Sep Sep Sep Sep Aug Aug Jul Jul Jul Jul Jul Jul-11 Walsall Council. This follows the accidental disposal of postal vote statements in a skip by the council s data processor. The council did not have a written agreement with the data processor selected to store this personal data. London Ambulance Service NHS Trust. This follows the theft of a personal unencrypted laptop containing patient data. University Hospital of South Manchester NHS Foundation Trust. This follows the loss of an unencrypted memory stick containing personal information relating to approximately 87 patients. Luton Borough Council. This follows a self reported breach concerning a flaw in the encryption function of a number of Council issue memory sticks. The flaw could allow memory sticks to be formatted removing encryption protection. An undertaking to comply with the seventh principle of the DPA has been signed by the London Borough of Greenwich. This follows two incidents where sensitive personal data was inadvertently disclosed, due to the Council's failure to implement appropriate wording in their ICT policy, stating that the sending of sensitive personal data in business related s to external webmail addresses should be avoided. HCA International Limited. This follows the theft of two unencrypted laptops containing sensitive personal data from one of the group s hospitals in March. Kirklees Metropolitan Council. This follows the inappropriate of personal data by care workers contracted by Kirklees Metropolitan Council. Northamptonshire Healthcare NHS Foundation Trust. This follows the loss of one individual s medical records. Basildon and Thurrock University Hospitals NHS Foundation Trust. This follows the transmission of a fax containing sensitive personal data to the wrong recipient. An undertaking to comply with the seventh principle of the DPA has been signed by Dunelm Medical Practice, further to the inappropriate facsimilie transmission and subsequent of two patient's electronic discharge letters, which contained sensitive personal data, including medical information. East Midlands Ambulance Service NHS Trust. This follows the transmission of a fax containing sensitive personal data to the wrong recipient.. the Ipswich Hospital NHS Trust. This follows the discovery of 29 patient records containing sensitive personal data in a public place. 11

12 01-Jul Jun May May Apr Apr Apr Apr Apr Apr Apr Apr-11 Lancashire Teaching Hospitals NHS Foundation Trust. This follows the faxing of sensitive personal data to a member of the public on more than one occasion. North Lanarkshire Council. This follows the theft of hard copy documents containing sensitive personal data. the charity Asperger s Children & Carers Together (ACCT). This follows the theft of an unencrypted laptop containing sensitive personal data last Christmas. Somerset County Council. This is a result of a teenager s social care records having been sent to the wrong family. NHS Birmingham East and North. This follows the discovery that Trust employees could access electronic files unrelated to the department they worked in. An undertaking to comply with the seventh principle of the DPA has been signed by Norwich City College of Further and Higher Education, detailing two instances, where a total of 80 student files, some of which contained sensitive personal data including medical information, were inappropriately disposed of. the Borough of Poole. The Council reported that faxes had been sent to the wrong number on three occasions last year. University College London Hospitals NHS Foundation Trust. This follows the discovery of an unencrypted memory stick off Trust. The memory stick contained sensitive personal data relating to 750 Trust patients. NHS Liverpool Community Health has signed an undertaking after it breached the Data Protection Act (DPA) by losing papers relating to the medical history of 31 children and their birth mothers during a move in October last year. The ICO s investigation found that NHS Liverpool had no formal contract in place with the removal company to handle personal data - a requirement of the Act - and had no process in place to ensure personal data was kept secure throughout the move. In a separate incident, the ICO has also found the Council for Healthcare Regulatory Excellence (CHRE) in breach of the Act after the possible loss of documents from complaint review files containing sensitive personal data. However due to weaknesses in CHRE s document recording, administration and communication processes the organisation cannot be certain if the information was ever received or whether it was subsequently lost or destroyed. An undertaking to comply with the seventh principle of the DPA has been signed by City of York Council, further to the inappropriate of an individual s personal data, which occurred as a result of the information in question being errouneously included with documentation sent to an unrelated third party. Royal Cornwall Hospitals NHS Trust. This follows the inappropriate of third party sensitive personal data on two occasions, in response to a subject access request. 12

13 01-Apr-11 Warrington and Halton Hospitals NHS Foundation Trust. This follows the theft on an unencrypted laptop containing sensitive personal data relating to 110 patients. 13