Whittington NHS Trust loses 18,000 sets of data

by Michael Smith

The personal details of nearly 18,000 NHS staff have gone missing in the post, it has emerged.

Four computer discs containing the details of 17,990 current and former staff were lost in July when they were sent between Whittington Hospital NHS Trust in north London and McKesson, a firm providing IT payroll services.

Those CDs contained the names, dates of birth, national insurance numbers, start dates and pay details of all staff of Whittington Hospital NHS Trust, Islington Primary Care Trust, Camden Primary Care Trust and Camden and Islington NHS Foundation Trust.

They also contained the addresses of some staff, although Whittington trust insisted they did not contain anyone's personal bank account details. Well, now there is a relief. But this has just be announced rather in a very slap happy way.

The more we hear about this the more we can but wonder as to whether there is somewhere in British government institutions, including NHS Trusts, the MOD, etc., a competition going on as to how many sets of data can be lost. This kind of criminal negligence just cannot be explained away in any other way unless gross stupidity also has something to do with it.

The trust said the discs went missing when an envelope they were in was placed in a post tray marked "recorded delivery" on Tuesday 22 July. But there was no record of the discs being sent.

The chief executive of the trust said that each one had a separate alpha-numeric passwords on them which, unless found by expert hackers, are very difficult to break. Let us just hope that this is indeed the case. But they have just password. They are NOT encrypted. Who the **** is running this asylum called British government?

He apologised to all those affected by the blunder, saying it was the first time information had been sent through the post and that the member of staff thought to be responsible has been suspended.

"It is trust policy to send any such information by courier," he said, and he added, “to our knowledge this is the one and only time that such information was directed through the post.

"An investigation is underway, with an enquiry panel taking place shortly. In the meantime, a member of staff has been suspended."

It is NOT the member of staff whose head should roll – at least not alone. The buck does not stop at the little guy or girl who may not even have been told how to send the CDs and never been told that they are to be sent by courier.

This revelation led both the Conservatives and the Liberal Democrats to call on the Government to scrap its planned electronic database of 50 million patient records in England. One can but add to that a call to scrap the National ID Card scheme and other such hair brained things. This country and its government are incapable of looking after data of its people.

Not that it would be impossible to make the systems safe. While it may not be possible to 110% guarantee that no one ever will be able to get hold of someone's details it is possible to encrypt the data to such an extent that it would take even a sophisticated hacker – even a hacker team – months if not more – to gain access to the data. If the protection would then be set in such a way that a limited attempts are permitted only and the data will after the limit be wiped c;lean then things would be safer still. This is NOT rocket science, as I keep saying. The technology is available and out there.

© M Smith (Veshengro), September 2008