Up to 10,000 Patient Records Exposed in U.K.

There are lessons to be learned from the data breaches involving up to 10,000 National Health Service patients, especially for businesses subject to HIPAA.

18 June 2014

Up to 10,000 Patient Records Exposed in U.K. - Intralinks' CollaboristaBlog

Storing patient records in an unencrypted format, along with allowing security breaches, have put the spotlight on a Birmingham, England, medical services provider.

The alleged data breaches may involve up to 10,000 National Health Service (NHS) patients, says the BBC News. The company in question is ultrasound scan provider Diagnostic Health, according to an official report from the U.K. Information Commissioner's Office (ICO). The ICO report was leaked to the BBC.

Stolen Laptop, Shared Password

Diagnostic Health began to be noncompliant in its data handling in June 2013, the BBC claims. The various allegations against Diagnostic Health include:

  • Employees used a group password to access files from an online storage account
  • Patient referral information was emailed directly to staff inboxes
  •  The company lacked records about who accessed the system, and when
  • Staff couldn’t delete personal data from a former consultant’s laptop — once the data was out the door there was no way to control it
  • After a business laptop was stolen from an employee’s home, the company didn't immediately make an official report to authorities

Improper Treatment of Patient Data

This news came as a shock to Daniel Ray, the data controller at the University Hospital Birmingham, prompting him to tell BBC: “I think that it is extremely sad and I would be shocked that patient records were on the Google drive. That is not how NHS patient records should be handled.”

By June 26, 2013, Diagnostic Health knew it was violating data protection protocols. Nevertheless, says the BBC, the firm kept populating the database until July 22. Sometime last year, a whistle- blower alerted authorities, and there was an official inquiry. Diagnostic Health voluntary stopped providing scans; but working with the ICO, it’s completed an action plan, and plans to resume work.

Exposed Patient Records, Huge Risk

There are lessons to be learned from this, particularly for any company in the United States that is subject to the Health Insurance Portability and Accountability Act (HIPAA). Without the proper security procedures and systems in place, patient data can — and all too often will — finds ways to escape. With the fines, breaches can get very expensive and become a public relations nightmare. Permitting these lapses is also hugely insensitive to the patients, and is a betrayal of their trust.

With that in mind, organizations responsible for other people’s sensitive data must standardize on an enterprise-grade storage and collaboration solution. The system must guarantee ironclad content protection, pretty much throughout any document’s entire lifecycle. This system should control content security all the way to the file level, and be capable of revoking access to data at any time. And if a file leaves the company firewall, it should remain encrypted and inaccessible, except by authorized persons.

Want some tips about evaluating enterprise collaboration solutions? We suggest you start by asking these eight basic questions.

Marc Songini

Marc Songini

Marc Songini has worked in the information technology field for more than 16 years. His roles have included those of journalist, analyst, and marketing communications specialist. He admits that when he started out as a cub high tech reporter, Netscape was still rocking the industry with a wondrous new user interface called a “browser.” During his 10 years with International Data Group (IDG), Marc wrote for NetworkWorld and Computerworld, both award-winning magazines. Marc specializes in cloud, enterprise apps, and figuring out the meaning of being human in an automated world.