Text size A A |  Text Only
Tuesday, 09 February 2010
Press Release 09 January 2009
Information Security Breach

NHS Central Lancashire can confirm that a breach of information security has taken place. 

We are taking this very seriously, and we would like to apologise unreservedly for any concern this incident has caused. It should never have happened.

A thorough investigation is already underway, and urgent action has been taken to prevent it happening again.

The incident happened on 30 December 2008 at Her Majesty's Prison Preston. It relates to a missing USB data stick that was routinely used to back-up the clinical administrative databases.

Data relating to a maximum of 6,360 patients was held on the device, although in some cases individual patients had more than one entry. All patients are, or have been, a prisoner at HMP Preston.

The USB data stick was encrypted, but the password had been attached to the device.

The information lost included prisoner surnames, their broad age range, prison number, cell location, prison clinic appointment times, and review dates. In some cases there was reference to clinics attended, medical condition and treatment offered. Conditions included asthma, diabetes, and mental health, as well as a very small number of sexual health references.

The USB data stick did not contain any other information such as first names, dates of birth, NHS numbers, or home contact details. Neither was there any financial information.

A thorough search by PCT staff, as well as HMP Preston's dedicated search team, has been undertaken. To date, the USB data stick remains missing.

Even though there is no risk to any patients' ongoing treatment or care, the PCT will be using a number of approaches to contact those affected to inform them of the breach and apologise.  A dedicated information phone line has been set up for anyone affected who may have concerns.

NHS Central Lancashire and the Prison Service are working closely together to investigate the incident. This will consider the PCT's systems in order that improvements can be made, and the recommendations will be made public. The PCT staff involved have been suspended while the investigation is carried out.
NHS North West, the Department of Health, the Home Office, the Information Commissioner and the Healthcare Commission have all been informed.

NHS Central Lancashire chief executive Joe Rafferty said: "We are deeply sorry - this never should have happened. We have launched a full and thorough investigation and we are taking all necessary steps to ensure it cannot happen again.

"The data relates to patients who have accessed HMP Preston's health clinic since the year 2000, and is a back-up of data stored on the clinic computer. Even though there is no risk to anyone's ongoing treatment or care, we have plans in place to contact those affected to inform them of the breach and apologise."

  • Anyone with concerns should contact the PCT's confidential information line on: 0845 609 9866. It is open 9am-5pm seven days a week until 23 January 2009. It will operational from 3pm today (9 January 2009).

ENDS

Notes to editors

The PCT takes patient confidentiality extremely seriously. We have in place a number of policies, procedures and codes of conduct relating to information governance, which includes security and confidentiality of patient and personal information. All employees working in the NHS are bound by a duty of care to protect the personal information they may come into contact with during the course of their work.

In October the PCT undertook a data protection audit. A questionnaire was sent to all 3,000 staff via payslips. The results are being urgently analysed and will be used to develop future training.

The PCT also regularly reminds staff of their responsibilities as regards information governance and statutory responsibilities. This has recently been via a leaflet attached to payslips, the staff newsletter and team meetings. Patient confidentiality is a core part of the PCT's induction programme, and training in information governance is mandatory.

To make sure it cannot happen again, the PCT is:

Undertaking an urgent review of the information governance custom and practice within prison healthcare across the NHS Central Lancashire area.

Developing a prison healthcare IT system which will connect to the secure NHS server. This will be implemented as soon as possible, and will negate the need to use a stand alone computer which requires information to be backed up.

  • Urgently recalling all USB data sticks across the PCT to re-issue encrypted devices on a needs basis with clear guidance for their use.
  • Reviewing the adherence of staff to policies and procedures relating to information governance.
  • Formally reminding all staff about their responsibilities in relation to information governance, and in particular the use of USB data sticks.

For more information, please contact NHS Central Lancashire's Communications Department on 01772 645595 / 644445 / 678067 / 644408

Click to visit the NHS Direct website   Click to visit the NHS Choices website   Patient Opinion   Download and Install Browsealoud