Confidential patient details lost in major security breach at Sutton hospital

Croydon Guardian: A filing cabinet has been lost containing patient details A filing cabinet has been lost containing patient details

A hospital lost a filing cabinet containing vulnerable patients’ confidential details in a major security breach, it has emerged.

Documents, containing data on 63 patients - who could be from anywhere in south-west London - disappeared from Sutton Hospital last year prompting an investigation by Government inspectors.

Croydon Guardian:

Sutton Hospital

Privacy campaigners have called the Epsom and St Helier Trust’s loss of the cabinet a "fundamental failure" to protect patients' privacy while Carshalton and Wallington MP Tom Brake has demanded the trust keep tighter control of patient records.

The incident was one of 243 in 2012-13 relating to information security involving the trust such as data protection and confidentiality - nine of which were recorded as "serious".

Details of the high-level breach only emerged in a hospital report published last month.

The trust wrote to each patient affected, who were being treated for chronic fatigue (also known as ME), and set up a dedicated phone line to deal with any of their concerns.

The filing cabinet, which was held securely behind locked doors, went missing when the building was vacated by another organisation, understood to be South West London and St George’s Mental Health NHS Trust.

The security failure was reported to the Information Commissioner’s Office (ICO) - an independent authority which regulates data protection.

Emma Carr, deputy director of privacy campaign group Big Brother Watch, said: "This kind of fundamental failure to protect patients' privacy is nothing short of astounding.

"The fact that an entire filing cabinet, containing potentially confidential and sensitive patient data, was lost calls into question just how seriously Epsom and St Helier Hospital take patient privacy."

The ICO carried out an audit including interviews with key members of staff this year and made a number of recommendations to the trust. Despite having the power to issue fines of up to £500,000 they considered the actions taken by the trust and decided not to act this time. It was the only breach that year reported to the organisation.

The trust was in trouble with the ICO in 2009 after it left thousands of patient records in an unlocked boiler room for two years at Sutton hospital.

Croydon Guardian:

Documents found in an unlocked room in 2009

A spokesman for the Information Commissioner’s Office said they would keep a record of the incident and may revisit it again if similar issues come to their attention.

Croydon Guardian:

Tom Brake the MP for Carshalton and Wallington said: "Patients must be able to expect the highest standards of care when it comes to their records.

"But the hospital needs to keep a much tighter control over people’s personal information.

"Following this failure they must put in place, if they haven’t already, a detailed plan of action to ensure that in future records are secure."

A spokesperson for the Epsom and St Helier Trust said:  "It is important to note that the documents removed were not full patient records, but contained details of patients who had attended a life style management course with the service.

"Since the incident took place we have taken a number of steps to help ensure that a similar event could not occur again. 

"This year, for example, we are making some significant improvements to the way we manage and track our 1.3m medical records, bringing the whole system up-to-date and making it much easier to use."

Comments (3)

Please log in to enable comment sorting

6:25am Thu 10 Oct 13

Dennis R says...

Here's a suggestion: adopt the MoD manual on the safeguarding of classified materials. Oh, wait! That won't work, will it? // Missing from the news article were the well worn phrases "we take these matters most seriously, "full investigation, blah, blah, blah," and "lessons to be learned." Obviously the three were omitted because full investigation and lessons teach nothing and these matters appear to be regularly brushed off. // A major hospital near me lost computer backup tapes of their patient files. Each night a different employee was detailed to take the tape reel(s) home until the following day. One night an the employee's car was broken into the and tape(s) stolen. This needn't have happened. The hospital had an office complex three blocks away. The whole situation could have been resolved with the purchase of two data safes; one at each location. The hospital tapes could be stored in the office complex and the tapes from the office complex stored in the hospital. Only the unlikely and catastrophic destruction of both facilities would cause the loss of their data.
Here's a suggestion: adopt the MoD manual on the safeguarding of classified materials. Oh, wait! That won't work, will it? // Missing from the news article were the well worn phrases "we take these matters most seriously, "full investigation, blah, blah, blah," and "lessons to be learned." Obviously the three were omitted because full investigation and lessons teach nothing and these matters appear to be regularly brushed off. // A major hospital near me lost computer backup tapes of their patient files. Each night a different employee was detailed to take the tape reel(s) home until the following day. One night an the employee's car was broken into the and tape(s) stolen. This needn't have happened. The hospital had an office complex three blocks away. The whole situation could have been resolved with the purchase of two data safes; one at each location. The hospital tapes could be stored in the office complex and the tapes from the office complex stored in the hospital. Only the unlikely and catastrophic destruction of both facilities would cause the loss of their data. Dennis R
  • Score: 3

1:45pm Thu 10 Oct 13

Leonsm says...

Erm.. More like patients details have been sold on
Erm.. More like patients details have been sold on Leonsm
  • Score: 8

9:15pm Thu 10 Oct 13

drhowardfredrics says...

This makes me wonder whether or not Southwest St. George's Mental Health Trust was behind the breach of patient privacy. Could they have walked off with this cabinet? Wouldn't surprise me one bit, given their history of deceit.
http://www.nhsexpose
.co.uk
This makes me wonder whether or not Southwest St. George's Mental Health Trust was behind the breach of patient privacy. Could they have walked off with this cabinet? Wouldn't surprise me one bit, given their history of deceit. http://www.nhsexpose .co.uk drhowardfredrics
  • Score: 6

Comments are closed on this article.

click2find

About cookies

We want you to enjoy your visit to our website. That's why we use cookies to enhance your experience. By staying on our website you agree to our use of cookies. Find out more about the cookies we use.

I agree