A hospital lost a filing cabinet containing vulnerable patients’ confidential details in a major security breach, it has emerged.

Documents, containing data on 63 patients - who could be from anywhere in south-west London - disappeared from Sutton Hospital last year prompting an investigation by Government inspectors.

Croydon Guardian:

Sutton Hospital

Privacy campaigners have called the Epsom and St Helier Trust’s loss of the cabinet a "fundamental failure" to protect patients' privacy while Carshalton and Wallington MP Tom Brake has demanded the trust keep tighter control of patient records.

The incident was one of 243 in 2012-13 relating to information security involving the trust such as data protection and confidentiality - nine of which were recorded as "serious".

Details of the high-level breach only emerged in a hospital report published last month.

The trust wrote to each patient affected, who were being treated for chronic fatigue (also known as ME), and set up a dedicated phone line to deal with any of their concerns.

The filing cabinet, which was held securely behind locked doors, went missing when the building was vacated by another organisation, understood to be South West London and St George’s Mental Health NHS Trust.

The security failure was reported to the Information Commissioner’s Office (ICO) - an independent authority which regulates data protection.

Emma Carr, deputy director of privacy campaign group Big Brother Watch, said: "This kind of fundamental failure to protect patients' privacy is nothing short of astounding.

"The fact that an entire filing cabinet, containing potentially confidential and sensitive patient data, was lost calls into question just how seriously Epsom and St Helier Hospital take patient privacy."

The ICO carried out an audit including interviews with key members of staff this year and made a number of recommendations to the trust. Despite having the power to issue fines of up to £500,000 they considered the actions taken by the trust and decided not to act this time. It was the only breach that year reported to the organisation.

The trust was in trouble with the ICO in 2009 after it left thousands of patient records in an unlocked boiler room for two years at Sutton hospital.

Croydon Guardian:

Documents found in an unlocked room in 2009

A spokesman for the Information Commissioner’s Office said they would keep a record of the incident and may revisit it again if similar issues come to their attention.

Croydon Guardian:

Tom Brake the MP for Carshalton and Wallington said: "Patients must be able to expect the highest standards of care when it comes to their records.

"But the hospital needs to keep a much tighter control over people’s personal information.

"Following this failure they must put in place, if they haven’t already, a detailed plan of action to ensure that in future records are secure."

A spokesperson for the Epsom and St Helier Trust said:  "It is important to note that the documents removed were not full patient records, but contained details of patients who had attended a life style management course with the service.

"Since the incident took place we have taken a number of steps to help ensure that a similar event could not occur again. 

"This year, for example, we are making some significant improvements to the way we manage and track our 1.3m medical records, bringing the whole system up-to-date and making it much easier to use."