[SecurityRatty] tag: patient

Encrypting Disks

Fri, 04 Jul 2008 09:10:18 +0000

The UK is learning:

The Scottish Ambulance Service confirmed today that a package containing contact information from its Paisley Emergency Medical Dispatch Centre (EMDC) has been lost by the courier, TNT, while in transit to one of its IT suppliers. The portable data disk contained a copy of records of 894,629 calls to the ambulance service's Paisley EMDC since February 2006. It was fully encrypted and password protected and includes the addresses of incidents, some phone numbers and some patient names. Given the security measures and the complex structure of the database it would be extremely difficult to gain access to any meaningful information.

News story here. That's what you want to do. There is no problem if encrypted disks are lost. You can mail them directly to your worst enemy and there's no problem. Well, assuming you've implemented the encryption properly and chosen a good key. This is much better than what the HM Revenue & Customs office did in November. I wrote about disk and laptop encryption previously.

Medical records under threat

Fri, 20 Jun 2008 15:20:00 +0000

Just saw a disturbing article on how folks are targeting medical records. Apparently Finjan (a security vendor) was trolling for malware and came across a large chunk of data with patient information etc - and get this, it was available for purchase for the highest bidder!

By now all of us are aware that hackers are no longer kids looking for laughs or thrills - they are the new criminal organizations. These organizations make it a business buying and selling data - be it credit cards, bank account information etc.

I suspect medical information can be used for many things - identity theft, blackmail, maybe even insurance fraud. Who knows?

But the main point here is this - it does appear that medical and patient information has value to criminal organizations and this is something to worry about. They will do anything to get their hands on this...

Castlecroft Medical Practice patient information at risk

Thu, 19 Jun 2008 07:54:50 +0000

Technorati Tag: Security Breach

Date Reported:
6/18/08

Organization:
NHS Trust

Contractor/Consultant/Branch:
Wolverhampton City Primary Care Trust
Castlecroft Medical Practice

Victims:
Patients

Number Affected:
~11,000

Types of Data:
"names, dates of birth, addresses, contact details and confidential medical records"

Breach Description:
"A laptop containing confidential medical records of all 11,000 Wolverhampton patients at a city surgery has been stolen from a GP’s house, police revealed today."

Reference URL:
The Press Association
The Express & Star

Report Credit:
The Press Association

Response:
From the online sources cited above:

A laptop containing confidential information about 11,000 patients has been stolen from a GP's home.
[Evan] This is now the 11th breach reported on The Breach Blog concerning NHS Trust and affiliated organizations. What is the excuse? Can the GP and/or Primary Care Trust and/or Medical Practice claim to not know the risks involved?

Contrary to Department of Health guidelines, the information was not encrypted, which would have made it unreadable without a special code to unscramble it.
[Evan] Are medical personnel aware of and required to follow the guidelines? Are there penalties or sanctions for non-compliance?

The laptop was among items stolen in a recent burglary at the home of the unnamed doctor, who works at the Castlecroft Medical Practice in Wolverhampton.

The details of when and where the laptop was taken from are not being released, but a helpline has been launched for worried patients
[Evan] I could not find the helpline phone number; otherwise I would publish it for people.

The information on the computer, which belongs to the practice, included patients' names, dates of birth, addresses, contact details and confidential medical records.

The practice has written to all of its 11,000 patients to inform them that information about them was on the stolen computer.

Dr Peter Wagstaff, senior partner at the practice, said: "The practice is treating this issue very seriously and we are extremely sorry for any distress or concern that it may cause our patients. Though not encrypted, the confidential information on the laptop was protected by a complex password system, which only a person with specialist computer knowledge would be able to crack."
[Evan] If the organization were "treating this issue very seriously", and if it was "truly sorry" then why attempt to minimize the situation (risk) by using the password protection argument. In my opinion (and that shared by many information security professionals), password protection is NOT an adequate preventative control to ensure the confidentiality of the information stored on a laptop computer. This holds especially true in instances where the password protection is controlled by the operating system. See: "Laptop stolen from a Quest Diagnostics employee" and "Not to worry: the stolen laptop was 'password-protected'".

He said the laptop appeared to have been stolen for its re-sale value, rather than for any information stored upon it.
[Evan] In my opinion, this is another attempt to minimize the situation and imply that the risk of confidential information disclosure is less than it may actually be.

Jon Crockett, chief executive of Wolverhampton City Primary Care Trust, said the trust was "extremely concerned" about the theft.

He said: "Patients and the public have the right to expect that those dealing with confidential information maintain the highest levels of security and we are carrying out a full and urgent investigation into this incident."
[Evan] Mr. Crockett makes a very valid point.

National guidance from the Department of Health is that any confidential information about patients must be stored in a safe and secure environment, and mobile devices - including laptops - which contain such data must be fully protected by encryption, he said.
[Evan] Again, Mr. Crockett seems to "get it".

Commentary:
The 11th breach for NHS Trust-affiliated organizations in less than 10 months and the fact that the cause of this one is so well publicized in other breaches does not instill much confidence.

The eleven breaches are only what has been reported on The Breach Blog, there may be more.

Past Breaches:
NHS Trust:
May, 2008 - Sandown Health Centre backup tape is missing
March, 2008 - Stolen NHS flash drive contained adolescent information
February, 2008 - Laptop missing from Russells Hall Hospital (UK)
January, 2008 - Stolen Bolton Hospitals Laptop affects cancer patients
January, 2008 - Queen Mary's Sidcup Hospital microfiche film goes missing
January, 2008 - Stockport Primary Care Trust flash drive goes missing
January, 2008 - Oldham Primary Care Trust NHS loses two data sticks
January, 2008 - Highly sensitive medical information found in the road
December, 2007 - Laptop stolen in Royal Bolton Hospital break-in
September, 2007 - Dudley Group of Hospitals NHS Patient Data For Sale on eBay

Operational security failure

Tue, 17 Jun 2008 07:29:01 +0000

A shocking article appeared yesterday on the BMJ website. It recounts how auditors called 45 GP surgeries asking for personal information about 51 patients. In only one case were they asked to verify their identity; the attack succeeded against the other 50 patients.

This is an old problem. In 1996, when I was advising the BMA on clinical system safety and privacy, we trained the staff at one health authority to detect false-pretext phone calls, and they found 30 a week. We reported this to the Department of Health, hoping they’d introduce some operational security measures nationwide; instead the Department got furious at us for treading on their turf and ordered the HA to stop cooperating (the story’s told in my book). More recently I confronted the NHS chief executive, David Nicholson, and patient tsar Harry Cayton, with the issue at a conference early last year; they claimed there wasn’t a problem nowadays now that people have all these computers.

What will it take to get the Department of Health to care about patient privacy? Lack of confidentiality already costs lives, albeit indirectly. Will it require a really high-profile fatality?

2.2 million billing records missing on stolen backup tape

Wed, 11 Jun 2008 08:33:06 +0000

Technorati Tag: Security Breach

Date Reported:
6/10/08

Organization:
University of Utah

Contractor/Consultant/Branch:
University of Utah Hospitals & Clinics
Perpetual Storage, Inc.

Victims:
Patients

Number Affected:
"approximately 2.2 million"

Types of Data:
"names, related demographic information and diagnostic codes" additionally, "Records for a subset of 1.3 million patients also contained Social Security numbers"

Breach Description:
"SALT LAKE CITY (AP) - Billing records of 2.2 million patients at the University of Utah Hospitals and Clinics were stolen from a vehicle after a courier failed to immediately take them to a storage center"

Reference URL:
University of Utah Hospitals & Clinics
The Salt Lake Tribune
Associated Press via KUTV Channel 2 News

Report Credit:
University of Utah Hospitals & Clinics

Response:
From the online sources cited above:

SALT LAKE CITY (AP) - Billing records of 2.2 million patients at the University of Utah Hospitals and Clinics were stolen from a vehicle after a courier failed to immediately take them to a storage center
[Evan] There is no mention of encryption in any of the news reports I have read regarding this breach, so I am going to go ahead and assume that it was not used. As you read through the publicly available details of this breach below, you will probably agree that the courier driver made an idiotic mistake that he almost certainly regrets, but the University of Utah Hospitals & Clinics is the custodian of this information that should have identified the risks involved with transporting confidential patient records off-site. One of those risks is the possibility that a backup tape may become lost of stolen, which is obviously the case in this breach. Where were preventative controls to account for this unacceptable (in most cases) risk, like encryption?

The records, described only as backup information tapes, contained Social Security numbers of 1.3 million people treated at the university over the last 16 years

people would be notified by a letter at a cost of $500,000 just for stamps and envelopes
[Evan] How much would it have cost to encrypt the information on the tapes? The State of Utah has an exemption in their breach notification law for encrypted information.

The hospital also pledged free credit monitoring

The records were in a gray metal box

The courier, whose name was not released, picked them up in his Ford Explorer on June 1

instead of driving directly to a storage center, he worked a second job and then went home
[Evan] This is the idiotic mistake I was writing about earlier.

The next day, he discovered that someone had broken into his Ford Explorer outside his Kearns home and taken the box

The driver worked for Perpetual Storage Inc. for 18 years and was fired.

Authorities declined to say how easy or difficult it would be to read the records.

The sheriff believes the thief probably thought the box contained money.
[Evan] What it contains could probably be turned into a helluva lot of money!

"The investigation indicates that the theft was probably a random car burglary, and there is no evidence that the information on the tapes has been accessed or used for identity theft," said Salt Lake County Sheriff Jim Winder.
[Evan] Eight days (June 2nd - June 10th) is probably a little too soon for evidence to appear of identity theft.

There's no evidence any of the information on the tapes has been accessed; besides, anyone trying to use the tapes would need specialized equipment to view the contents, Winder said.
[Evan] Specialized equipment like a tape drive?

Eighty percent of the 2.2 million people live in Utah or Idaho, Betz said. The hospital is offering a $1,000 reward for the records. (Lorris Betz, M.D., Ph.D, Senior Vice President for Health Sciences)

The University of Utah Hospitals & Clinics is offering a $1,000 reward for the return of the tapes, no questions asked. Those wishing to claim the reward may call the Sheriff’s Department at (801) 743-7000.
[Evan] To think of this in pure financial terms. A person could return the tape for $1,000 or could access the tape, sell the information and make maybe $5,000.000+. Maybe a good preventative control for organizations is to assume that criminals are stupid as part of your risk management program (seriously though, it's not).

"We understand this is unwelcome news to our patients," said Betz.

The university had worked with Perpetual Storage for 12 years before the theft

The University of Utah Hospitals & Clinics has suspended deliveries of backup tapes to Perpetual Storage pending the review of all procedures and protocols for transporting and storing backup data.

Additionally, the health-care system is taking the following steps on behalf of its 2.2 million patients.

Mailing notification letters to all 2.2 million patients and guarantors;
Providing free credit monitoring and restoration service to patients whose records included Social Security numbers;
Providing a toll-free information line at 1-866-581-3599 to respond to questions; and
Establishing a website at healthcare.utah.edu/billingrecordstheft that provides information and resources.

Victim Reaction:
Tuesday's news was especially unsettling for people like Will Taylor, of West Valley City, whose premature daughter is a patient at University Hospital. Taylor has already been the victim of identity theft once, when thieves racked up credit card charges in his name.

"I will ask [the hospital] what precautions I can take and what they are doing about it," he said.

"If our information isn't safe, then what is?" patient Dan Christenson, of Salt Lake City, said Tuesday after learning of the theft.

Commentary:
I would be more understanding if this were the first breach ever reported where a backup was stolen that contained personal information, but it's not. Employing backup tapes without encryption is a very well documented risk, so why do large organizations still accept it?

Past Breaches:
March, 2008 - Stolen University Health Care laptop requires notification of 4800

Man Gets 5 Years For Hacking

Tue, 10 Jun 2008 22:40:38 +0000

Five years in a Federal lockup that is.

From The Union Tribune:

A Chula Vista man was sentenced to five years and three months in federal prison yesterday for hacking into computers at county medical clinics and erasing patient data.

Jurors convicted John Paul Oson, 38, in August of two charges of intentionally damaging protected computers. U.S. District Judge Thomas Whelan also ordered Oson to pay $409,000 in restitution.

Prosecutors said Oson hacked into the systems in December 2005 after he had left work as a network engineer with the Council for Community Health Clinics. He resigned after receiving a performance evaluation he thought was negative, authorities said.

Hacked his old company after receiving a bad review? Where have I heard this one before? The spectre of Duronio returns.

Article Link

Security Briefing: June 3rd

Tue, 03 Jun 2008 08:16:53 +0000

The joy of the morning commute. Last week was a complete blur but, traffic is far worse.

Click here to subscribe to Liquidmatrix Security Digest!

And now, the news…

Walter Reed says patient data may be compromised | Associated Press
Hacker Hijacks Website of Hacking Tool Maker (Metasploit) | Wired
Fetching Stolen Laptops | EMQ
Philly news anchor embroiled in e-mail hacking scandal | Philly.com
French police smash global hacker ring | vnunet
Google fixes several site security issues | CNET
Exploiting Security Holes Automatically | MIT Technology Review
Apple releases Mac OS X Leopard Security Guide | ZDNet

Tags: News, Daily Links, Security Blog, Information Security, Security News

Walter Reed Army Medical Center breach through P2P

Tue, 03 Jun 2008 05:14:34 +0000

Technorati Tag: Security Breach

Date Reported:
6/2/08

Organization:
United States Army

Contractor/Consultant/Branch:
Walter Reed Army Medical Center ("WRAMC")

Victims:
"Military Health System beneficiaries" or patients

Number Affected:
~1,000

Types of Data:
"Names, Social Security numbers, birth dates and other information"

Breach Description:
"WASHINGTON (AP) — Sensitive information on about 1,000 patients at Walter Reed Army Medical Center and other military hospitals was exposed in a security breach, sparking identity theft concerns and an investigation by the Army."

Reference URL:
Walter Reed Army Medical Center News
Associated Press
WISH TV Channel 8 News

Report Credit:
Walter Reed Army Medical Center

Response:
From the online sources cited above:

WASHINGTON (AP) — Sensitive information on about 1,000 patients at Walter Reed Army Medical Center and other military hospitals was exposed in a security breach, sparking identity theft concerns and an investigation by the Army.

Names, Social Security numbers, birth dates and other information was released, hospital officials said Monday.
[Evan] This information belongs mostly to military personnel that were patients of WRAMC. The victims are the people that defend this country. Grrr.

The computer file that was breached did not include information such as medical records, or the diagnosis or prognosis for patients, they said.

Walter Reed officials declined to explain exactly how the information was compromised, pending an ongoing investigation by the hospital and the Army.
[Evan] There is more insight into the cause of the breach below. Keep reading.

Preliminary results of an on-going investigation have identified a computer from which the data was apparently compromised.

Data security personnel from Walter Reed and the Department of the Army continue to investigate the source and causes for the information compromise.

The medical center learned of the breach on May 21 from an outside data mining company, which officials did not identify.

the company was working for another client, found the file and contacted Walter Reed.

The hospital said it is working to notify all of the people named in the data file. Letters or e-mails were being sent out, beginning Monday.

The chairman of the House Armed Services Committee, Rep. Ike Skelton, D-Mo., said he wants to hear from the Army about its investigation.

"It's very troubling when private data is inappropriately released," Skelton said. "We must ensure that personal information is protected and prevent any future compromise of patient records."
[Evan] Obviously easier said than done.

Walter Reed plans to offer free credit protective services to patients whose information was revealed.

The hospital also has set up a hot line for people to call to see if their information was disclosed (1-877-854-8542, ext. 9).

The Health Insurance Portability and Accountability Act of 1996 protects patients from unauthorized release of their health records. The Walter Reed Army Medical Center has a robust information assurance program that meets all program standards and requirements. The compromised data file did not include protected health information such as medical records, diagnosis or prognosis for patients.

Message to "Team WRAMC" from COL Patty Horoho:
I want to ensure that each of you have an understanding of what may be in the papers regarding possible disclosure of personal data. Walter Reed officials were notified of a possible disclosure of personally identifiable information through a Peer to Peer (P2P) network of approximately 1000 Military Health System beneficiaries. The information did NOT contain any protected health information such as medical records, diagnosis or prognosis for patients. The individuals impacted have been identified and we are taking a proactive approach to contact them to assist in providing fraud protection services. Below is the media release we sent out will provide more details. A 24/7 hotline has been established in the Combined Operations Center, 202-782-8333 or 877-854-8542 ext 9 and a info site on the web page is also being created.

I need everyone to ensure that they are not loading or down loading programs that are not authorized by the command as it increases our vulnerability and possibly can cause a breach in protected information being shared.

Commentary:
So the cause of this breach was an unauthorized installation and configuration of a Peer to Peer (P2P) program. My concerns about this revolve around the ability to install the application and the inability of WRAMC personnel to block and/or detect the network traffic.

The installation of computer programs on a computer usually require elevated privileges such as administrative access. Are users of WRAMC information resources also administrators of their systems? If so, this is generally not a good idea.

P2P programs such as BitTorrent, Morpheus, Lime Wire, etc. are dependent upon a network to work, thus the "Peer to Peer". Most, if not all P2P network traffic is easy to block and/or detect with any combination of filtering, network access control and intrusion detection or prevention. Are these technologies not in use at WRAMC?

Lastly, what is WRAMC policy with respect to acceptable use and network access? There is no mention in the news reports.

Past Breaches:
April, 2008 - Excel Spreadsheet on the web exposes Army officers and civilians

Breach at UCSF gets leadership response

Sat, 31 May 2008 06:34:08 +0000

Technorati Tag: Security Breach

Date Reported:
5/28/08

Organization:
University of California

Contractor/Consultant/Branch:
University of California at San Francisco ("UCSF")
Departments of Pathology and Laboratory Medicine

Victims:
Patients

Number Affected:
3,569

Types of Data:
"names, dates of pathology service, health information and, in some cases, social security numbers"

Breach Description:
"The University of California San Francisco is alerting a group of patients that it has discovered a security breach involving a computer that held personal patient information."

Reference URL:
UCSF News Release

Report Credit:
Kristen Bole, UCSF

Response:
From the online source cited above:

The University of California San Francisco is alerting a group of patients that it has discovered a security breach involving a computer that held personal patient information.

There is no indication that any patient files were accessed.

UCSF takes this situation very seriously and is therefore responding with the highest level of caution and concern.

During routine monitoring of the campus computer network on January 11, 2008, UCSF discovered unusual data traffic on one of its computers.
[Evan] Its good that the unusual traffic was detected through routine monitoring, but I wonder how long the traffic was present before it was detected. Later on in the news release there is mention that an unauthorized movie-sharing program was installed on the computer on or about December 2, 2007. It seems likely that the unusual traffic may have started on or about December 2, 2007. Why the time gap between presence and detection?

The computer was immediately removed from the network to prevent further access.

UCSF conducted a thorough investigation into the incident to assess how this breach occurred and whether any patient information may have been compromised.

The investigation was completed this month.
[Evan] This is a long investigation. January 11th, 2008 through May 1st, 2008 is more than 3 1/2 months.

During the investigation, UCSF determined that an unauthorized movie-sharing program had been installed on this one computer on or about December 2, 2007, by an unknown individual.
[Evan] Uh oh. If the installation of the program requires administrative access to the computer, it is conceivable that the local administrator credentials were compromised. The fact that the news release states "unknown individual" leads me to believe that the account used was potentially a shared account.

Installation of this program required high-level system access, which is why the incident is considered a security breach.

This computer contained files with lists of patients from the UCSF pathology department’s database.

The data included information such as patient names, dates of pathology service, health information and, in some cases, social security numbers.

The Department of Pathology has notified 2,625 UCSF patients whose information was contained on the computer.

The files also included 944 patients whose tissue samples had been referred by other health care providers to UCSF for analysis.

UCSF has established a special phone line (415) 353-7427 and a special email address PathHotline@ucsf.edu to answer questions from patients who receive the notification letters.

The security of protected health information at UCSF is of utmost importance

The campus has undertaken extensive work in this area, including upgrading system security and performing the monitoring that uncovered this breach.
[Evan] Great! I just want to point out that the word "undertaken" is past tense. Information security is a lifecycle employing continuous management, improvement, monitoring, etc.

this event and others nationwide have caused UCSF to redouble its efforts in this area.

UCSF Chancellor J. Michael Bishop has formed a top-level task force to improve the system of controls to protect patient information and other sensitive data.
[Evan] Excellent! This demonstrates good organizational leadership, of which information security is integral. It stinks that it took a breach affecting over 6,000 people before this action was taken.

This task force is composed of campus leadership and is chaired by Executive Vice Chancellor and Provost Eugene Washington.

Chancellor Bishop has charged the group with conducting a comprehensive, expedited review of actions already taken and future actions needed to protect sensitive data, including reviewing associated practices, systems and policies.

He also has charged the committee with implementing the changes needed to safeguard protected health information and other sensitive data and has asked the group to report to him weekly on their status, with an emphasis on actions taken and planned.

Commentary:
I commend UCSF leadership for the establishment of the new task force led from the top. Hopefully the momentum will continue. All organizations, non-profits and profits alike, need information security leadership that comes from the uppermost echelons in order to be effective.

Past Breaches:
University of California:
May, 2008 - Health care practices and UCSF patient records exposed
April, 2008 - University of California Irvine students are hit with mysterious breach

Sandown Health Centre backup tape is missing

Tue, 27 May 2008 09:14:16 +0000

Technorati Tag: Security Breach

Date Reported:
5/19/08

Organization:
NHS Trust

Contractor/Consultant/Branch:
Isle of Wight NHS Primary Care Trust
Sandown Health Centre
City Link (the courier)

Victims:
Patients

Number Affected:
38,650

Types of Data:
Medical records

Breach Description:
"The Isle of Wight NHS Primary Care Trust and the Sandown Health Centre are taking action to reassure patients after a computer tape containing their personal details went missing."

Reference URL:
Isle of Wight NHS Primary Care Trust News
The Press Association
BBC News
eHealth Insider

Report Credit:
The Press Association

Response:
From the online sources cited above:

The Isle of Wight NHS Primary Care Trust and the Sandown Health Centre are taking action to reassure patients after a computer tape containing their personal details went missing.

The tape was sent in March to a London-based specialist GP software company who are responsible for maintaining their clinical software.

They carry out checks on computer back-up tapes to make sure they could be used effectively to restore information to the practice computer system in the event of a system failure or other emergency such as a fire.

Unfortunately, the tape has not been received back at the Health Centre, having been despatched by the company through a courier service in March.

Sent on 11 March, it took two months before the tape’s disappearance was discovered by INPS and the PCT.
[Evan] The amount of time that it took to notice that the tape was missing is cause for concern.

The tape was meant to be tracked at every stage by City Link to ensure it reached its destination - the courier firm admitted this had not happened and it is now investigating the loss.

A spokesperson said: "We are naturally very concerned by the loss of our customer’s consignment and a rigorous search for the parcel continues. We are doing everything in our power to resolve the matter and return the package as quickly as possible."

It is presumed that the tape has been lost, possibly permanently, although all possible efforts are being made to try and find it.

The tape contains medical records of 38,650 current and past patients of the Health Centre from July 1996 onwards.

It includes all current patients and large numbers of patients who registered on a temporary basis whilst visiting or working on the Island and patients who have since transferred to practices elsewhere.

It is standard practice for GPs to hold patient details for at least ten years after they are no longer registered with them.
[Evan] Some of the information on the tape dates back 12 years, but that is still in accordance with "at least ten years".

the risk of the tape being misused is extremely small

The tape requires specialist computer equipment to run it and the data is password protected.

In addition, highly advanced computer skills and/or access to a specialist programme only normally used by GPs and the data verification company are needed to make any sense of the information on the tape.
[Evan] According to the eHealth Insider story the tape was encrypted. Is the "specialist programme"? If this is the case, and presuming that good password management practices were followed, then I agree with the assessment that the risk of disclosure is probably small.

The PCT is working with the practice to contact as many patients as possible and is in the process of writing to those who are currently still registered with the practice.

a dedicated telephone helpline has been set up and can be contacted on 0845 602 6834 between 8am and 8pm from Monday to Friday

The Interim Chief Executive of the PCT, Margaret Pratt, said: "Although there is very little chance of anyone being able to do anything untoward with this tape, should they find it, it is potentially a very serious loss of confidential information.

"It is important that everyone concerned continues to do everything possible to try and locate the tape and that is happening. It is equally important that we provide reassurance to patients over the level of risk that their personal information could be misused and I am confident that risk is extremely small."

"I should stress that neither the Health Centre nor the NHS more widely on the Island are in any way responsible for this tape going missing. However, we will, of course, be reviewing the procedures used for data verification by practices to see if there are lessons to learn."

Dr Peter Randall, Senior Partner at the Sandown Health Centre, added: "We have another copy of the back-up tape and our main computer records system is not affected by this. So we still have access to all the information we need and patient care is not compromised in any way."

"My own view is also that the risk of any harm resulting is minimal. My own family are registered as patients at this practice which means their details are amongst those on the tape. I have no worries about the information falling into the wrong hands and being used improperly."

The incident comes five months after NHS chief executive David Nicholson wrote to all NHS trust chief executives telling them to review and tighten their information governance and data transfer arrangements.
[Evan] Unfortunately, it took a number of breaches before Mr. Nicholson issued his directive. Better late than never. He should be commended in regards to the directive. My hope is that the NHS follows good information security governance practices and continually strives to improve their information security program(s).

Commentary:
There was no mention (unless I missed it) of encryption in the official Isle of Wight NHS news announcement. The encryption mention comes in the eHealth Insider report. It is also not clear what "medical records" entails exactly.

Past Breaches:
NHS Trust:
March, 2008 - Stolen NHS flash drive contained adolescent information
February, 2008 - Laptop missing from Russells Hall Hospital (UK)
January, 2008 - Stolen Bolton Hospitals Laptop affects cancer patients
January, 2008 - Queen Mary's Sidcup Hospital microfiche film goes missing
January, 2008 - Stockport Primary Care Trust flash drive goes missing
January, 2008 - Oldham Primary Care Trust NHS loses two data sticks
January, 2008 - Highly sensitive medical information found in the road
December, 2007 - Laptop stolen in Royal Bolton Hospital break-in
September, 2007 - Dudley Group of Hospitals NHS Patient Data For Sale on eBay