Dissent at databreaches.net notes that the UK’s Information Commissioner’s Office has a very short entry regarding a data breach that affects 1.6 million people. Apparently, a CD was sent to a landfill by mistake. Furthermore, it appears the information was not protected with medical data encryption, such as proffered by AlertBoot.
Ironically, “Physical Security” in Place
Encryption software is not a panacea. While data encryption is a highly effective and efficient tool for preventing the leakage of sensitive information, it cannot and will not work all the time. For example, if the data theft is occurring by someone who holds the passwords for accessing such data (e.g., an employee stealing customer information).
However, I recommend that data encryption be used always when a massive amount of information is being stored. As a rule of thumb, I’d say that if your database contains more than 5,000 data sets, encryption should not be a consideration but a certainty. This is even more true if the storage medium happens to be one that is designed for portability.
I bring this up because the information lost by Eastern and Coastal Kent Primary Care Trust, the data controller in charge of the CD mentioned above, was actually protected: they had placed it in a filing cabinet.
The decision to place it in a filing cabinet was made during an office move, and unfortunately, the filing cabinet was destined to a landfill. Efforts were made to recover the CD without success.
As a result, the names, addresses, dates of birth, NHS numbers, and GP code for 1.6 million patients were lost. This is, without a doubt, a breach of the Data Protection Act.
Information is Not “Current.” Bollocks
Regarding the situation, the chief executive of the trust noted that
…the filing cabinet was not current – the most recent information was from 2002,” she[the chief executive] said.
“There was no clinical data involved and the data is beyond retrieval.
“It is important to stress that information systems now are far more secure than they were at the time these files were produced – we no longer store information on floppy disks or CDs and use sophisticated systems of encryption.” [publicservice.co.uk]
Well, congratulations to Eastern and Coastal Kent Primary Care Trust for that, but what are they doing for all of their old data? While they might claim the data is “not current,” if one takes a look at the lost data, there’s not much that “goes out of style” if you get my drift.
I mean, how often can one change one’s name or birth date? NHS numbers are pretty fixed, if I’m not wrong, and while the modern era sees more changes of addresses than in the past, you can bet a significant number of the 1.6 million people still reside in the same place as in 2002.
It seems to me that, when the PCT went ahead and made all those security changes, they should have taken their old data and secured them as well.