U.K. Hospital Denies Stolen USB Stick Held Sensitive Data

A U.K. National Health Service (NHS) hospital trust has denied that a stolen USB stick contained confidential patient data.

Nottingham University Hospitals trust confirmed that a USB stick was stolen in April, but said suggestions made by a doctor in the British Medical Journal that the storage device contained confidential information did not take into account the results of an investigation into the incident.

In a letter to the journal, Dr. Matthew Daunt wrote: “Recently confidential patient data held on an unprotected USB stick were stolen. The trust had to inform the patient and face liability for distress or damage caused along with public condemnation.”

But a spokeswoman for the trust said: “In line with trust policy, the incident was reported and subsequently investigated. The outcome of the investigation was that there was no evidence to suggest confidential patient information was involved.”

She added: “We take the responsibility of protecting patient data extremely seriously. We are always looking at ways of improving information security and ensure that all staff are given and can easily access the policies and procedures relating to information and security and data protection.”

The letter outlines what the consequences for the trust would have been if the USB stick had contained confidential data, she said.

The letter correctly states the trust’s security policy—that confidential data should be stored on 128-bit encrypted USB sticks, with “if found” labels on them, and be used solely on the trust’s computers—the spokeswoman added.

Dr. Daunt was not available for comment.

His letter outlines findings from his own survey of junior doctors, which revealed a lack of compliance with the policy. “I asked 50 junior doctors about their electronic storage of patient data. Thirty-six of them stored patient data electronically, 20 using a USB stick, three a floppy disk, and 13 a hospital computer hard drive,” it says.

“None of the 20 USB sticks had 128-bit encryption, and only three had password protection (still insufficient for the trust’s requirements). Four doctors used the same device on their personal computer(s), two of which had patient data stored on them.”

Dr. Daunt’s letter says the trust’s data-protection adviser had since recommended enhanced USB stick security protection, with mandatory password protection. The trust would supply 128-bit secured USB sticks for doctors’ use, while “an extensive communications program will seek to raise awareness and promote compliance.”

The Nottingham hospital trust is a neighbor to Nottinghamshire Teaching primary care, where a laptop containing names, addresses and dates of birth of 11,500 children was stolen earlier this year.

The laptop was later recovered by police.

— Tash Shifrin, Computerworld UK