http://securityratty.com/tag/freephone Fri, 11 Jan 2008 14:15:40 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/1fa6887ba7491f504446d387e63807fc http://securityratty.com/article/1fa6887ba7491f504446d387e63807fc Security Breach

Date Reported:
1/11/08

Organization:
Oldham Primary Care Trust NHS (PCT)

Contractor/Consultant/Branch:
None

Victims:
PCT "clients"

Number Affected:
148

Types of Data:
"The information lost related to copies of assessments about future healthcare needs held in a secure central file. It included people’s names, addresses and dates of birth."*

*I'm not sure if this means that copies of assessments AND names, addresses and dates of birth OR just names, addresses and dates of birth.

Breach Description:
The Oldham Primary Care Trust NHS has issued a press release announcing the loss of two "data sticks" containing personal information belonging to clients that had contact with the organization's continuing care service.  A total of 148 clients were affected by the breach.

Reference URL:
The Oldham Primary Care Trust NHS Press Release
Manchester Evening News Story

Report Credit:
Oldham Primary Care Trust NHS

Response:
From the online sources cited above:

A breach of information security has taken place. Two data sticks containing information relating to 148 clients who have been in contact with the PCT’s continuing care service have been reported missing.

This should never have happened.
[Evan] Got that right.

All the individuals affected have been identified. Our first priority has been to try to contact all 148 individuals, or their representatives, personally. We have made personal contact with 145, and offered to visit them. We are waiting for three to get back to us after several attempts to contact them.

We have followed up the contacts in writing with our sincere apologies, and have set up a
dedicated freephone information line for those who may have further questions.

The information lost related to copies of assessments about future healthcare needs held in a secure central file. It included people’s names, addresses and dates of birth. It did not contain financial information.
[Evan] It's a little unclear to me what this means exactly.

There is no risk at all to anyone’s future care.

A formal internal investigation has been launched.

The PCT takes patient confidentiality extremely seriously and has taken immediate action to prevent any further similar incidents.  All data sticks containing ‘personal’ information have been recalled, and a full and thorough review of current processes and procedures is now underway.

Gail Richards, Oldham PCT chief executive, said: “We are deeply sorry – this should never have happened. We have launched a full and thorough investigation, and are reviewing our current policies relating to data storage.
[Evan] It's always a good sign when a "chief executive" comments on security.  I have said this before, but it shows that they understand their information security role and that the buck stops with them.

“While we believe the data sticks have been lost, we have reported the incident to the police in order to get the best advice possible. We have no reason at all to believe the information has been accessed by anyone else.”

To make sure this cannot happen again, the PCT:

• Is undertaking a full audit of how removable media is used across the PCT
• Has recalled all data sticks and pen drives which contain ‘personal’ data
• Nearly completed recalling all data sticks and pen drives in order to reissue encrypted devices to staff alongside a new procedure for their use
• Has reminded all staff formally of existing policies and procedures
• Is urgently developing updated guidance for staff around information security
  

[Evan] These steps will go a long way towards preventing an similar occurrence.  This is sound information security judgment, in my opinion.

Anyone with concerns should contact the PCT’s information line on freephone 0800 144 4304.  The line is open from 8.30am8pm MonFri and 10am4pm SatSun.

Commentary:
Overall, this has to be one of the best responses I have seen in some time from an organization that experienced a breach of personal information.  The response is open, thorough and honest.  After reading the press release, I am clear about what happened and what Oldham Primary Care Trust ("PCT") plans to do about it.  Too many times, organizations attempt to keep a breach under wraps.  PCT prominently displays the information on their web site home page.



The breach happens.  The organization comes to terms with the fact that a breach occurred.  The organization reaches out to everyone affected with an honest explanation and sincere apology.  The organization issues a press release to announce what took place and what it intends to do about it.  The organization saves face and keeps a certain amount of trust in the process.  I am impressed with how PCT has responded to this breach.

Past Breaches:
January, 2008 - Medical information found in the road
December, 2007 - Laptop stolen from Royal Bolton Hospital NHS
September, 2007 - Dudley Group of Hospitals NHS hard drives for sale on eBay

]]> Fri, 11 Jan 2008 14:15:40 +0000 information information lost personal information financial information medical information information security data freephone information line data sticks Oldham Primary Care Trust NHS loses two data sticks