Tuesday, December 25, 2007

Birmingham And Solihull Mental Health Trust Hospital Cats Discover Naked Patient Records

The UserWatch Team ofcourse has its secret investigative weapons in the shape of MOW and YOW (left)

These community cared for hospital cats who escaped The CEO Soo Furnace's contract out on them with Rentokil, are now employed By UserWatch to search journalists and NHS dustbins for stories that are fishy and might be used to batter the NHS back ....

Pictured here (left) in conversation the discovery is clear : Who needs the Sun newspaper or the Daily Mirror or the Daily Shagalot when patients records walk about nakedly ..

Hell everyone is naked under the New Labour security conscious Govt ....Usama now knows our health records and innermost fears and mental health secrets, and will be sending arachnaphobia crawly bombs over to the UK as well as leaflets on how to kill your own Government and actually be safe ..

By being a pro confidential terrorist and undermining the Gov'ts insecure pro security ways he will become Britain's next Prime Minister by exposing what tosser's we have that destroy security of mind and safety of privacy ... Usama ! all is forgiven - Allahhhhhhhhh Akbahhhhhhhhhhh ...

But ofcourse we cannot end there ...OOOO Nooooo -- Real records are flying about here and there in the winds ... We argue NO NHS Trust has safe records because the overmerged antilocal anti-patient anti service anti choice behemoth does not know what it is doing and often does not have the staff do do it....Your records are not safe because if you are not an active patient then the records can be culled after 7 years anyway and we think it should be simple good practice for patient's or Carer's to construct a copy - what is in the public interest should be decided by the public in these matters .. SEE REPORTS BELOW :

From Guardian Blogs We Have this below :

Norfolk and Norwich hospital has become the latest organisation to leak personal data after confidential health records of 55 patients were found in a residential wheelie bin.

The Eastern Daily Press reports that a 67-year-old woman in Bowthorpe, a suburb of Norwich a short distance north of the hospital, found notes including sensitive mental health details, with handwritten annotations and names and addresses. The hospital is launching an inquiry into how the records were dumped.

The North Norfolk MP, Norman Lamb, said: "This is a horrifying breach of security. It is so important that this information remains on site so patients are confident in the NHS. Some of the most personal and private information is on these records.

"This has to be treated as a zero tolerance policy with nobody being able to breach security arrangements again."

Alas, patient records going missing - in both paper and digital format - is nothing new. As recently as last week, Maidstone and Tunbridge Wells NHS trust lost a memory stick containing the medical records of cancer patients. And a computer decommissioned from Dudley hospital was recently sold on eBay with medical records still on the hard drive.

Another trend hospitals seem keen to join is offshoring transcribing medical reports. Last year, a trust came under fire from the union Unison for piloting a scheme where tapes would be written up in Chennai, India. It claimed that errors would be made and jobs put at risk. The hospital? Norfolk and Norwich.

With this background of data meltdown in the public sector, David Nicholson, the NHS chief executive, has ordered all trusts to review their information security policies - keeping unencrypted information out of memory sticks, avoiding transferring huge amounts of patient records in bulk, and so on.

One would hope that the NHS's national programme for IT would in essence provide some greater data security - as the programme's departing chief executive, Richard Granger, has frequently commented, leaving huge trolleyfuls of confidential records lying around in hospital corridors is much less secure than putting them behind computer firewalls. Still, anecdotes abound of clinicians sharing passwords and access cards to health records and leaving computers logged in.

This is why computers aren't the solution and aren't the problem. Somebody chose to dump paper records in an anonymous bin, and another somebody neglected to securely wipe the hard drive. People, rather than the technology they use, are always going to be where the pipes burst.

(SEE Also BBC Story Jan 9th 2008 HERE)

(See Data Abuses too Here Jan 10th 2008)

(See London Hospital Investigations Here - BBC Jan 10th 2008 )

(see also BBC USB stick lost 6000 records story Jan 2009)

"The confidential paperwork from two London hospitals detailed serious illnesses suffered by patients.

Whipps Cross University Hospital in Leytonstone, east London, and St Bartholomew's Hospital in the City, have both launched investigations. "

(See Patient Files Found In The Shithole Here And Extract Below)

PRIVATE, confidential information about a psychiatric patient has been found in a visitor's toilet at the Brooker Centre, beside Halton Hospital.

Two open brown envelopes contained a man's name, NHS number, blood test results and personal medical details.

"I was shocked," said the Runcorn woman who found the information on Monday afternoon, in the female visitor's toilet between the Brooker reception and the Pine Day Unit.

"This poor person has no idea their details were just randomly left in a toilet. They could have been found by someone who knows him.

(See Records Found In London Garden Times Online 11th Jan below)

Story by Tomasz Johnson

CONFIDENTIAL patient records from Whipps Cross University Hospital have been found in the garden of a Potters Bar resident.

The Trust has launched an investigation to find out how the blunder occurred.

The records, which are thought to include details of patients' serious illnesses, were found in a front garden in Coopers Lane, near Potters Bar.

(See Jan 11th Oldham Story Here Below Too From Manchester Evening News)

Reporter Don Frame

SENSITIVE personal information on almost 150 NHS patients in the Oldham area has been `lost', health bosses admitted today.

See E-healthinsider too

See too what some staff have to say In Dec 2007 too BELOW From E-insider

14 Dec 2007

NHS chief executive David Nicholson has written to all NHS trust chief executives instructing them to immediately review and tighten their information governance and data transfer arrangements.

The 4 December letter requires trusts to urgently re-examine the arrangements and policies local trusts have for securing data in transit. Trusts are told to urgently buy-in additional security expertise if they do not have it in-house already, and to check security arrangements for laptops, CDs and pen drives.

In his letter, Nicholson refers to "recent concerns about public sector", though the NHS boss doesn't mention last month's loss of confidential data on all recipients of Child Benefit by HM Revenue and Customs by name. Instead it speaks of the need to focus on "the security of information between locations and organisations".

Two recent reports by E-Health Insider and sister title EHI Primary Care have highlighted that some NHS organisations have a lot of work to do to improve information governnance. Sefton PCT this week confirmed it had sent details on 1,800 staff to organisations it declined to name. Last week EHI Primary Care report that Hastings and Rother PCT was sending patient records out using standard Royal Mail post.

The letter says: "No element of information governance, as provided in the information governance toolkit, should be neglected, but priority must be given to securing improvements in the in the security of data in transit.

In an checklist of immediate steps all NHS trust CEOs are instructed to "Check your systems and procedures, and deal with any shortfalls immediately"; "Check that your control on the movement of person identifiable data is good enough"; and to "not hold identifiable data on portable media unless it is encrypted".

In addition, the letter tells trust chief executives: "Do not bulk transfer person identifiable data, unless it is absolutely needed for direct patient care, before you have sorted out your secure processes, and do this quickly.

As well as addressing the imemdiate priorities on data transfer and security trusts are directed to undertake a more detaield programme of work.

It states: "I am looking to each of you to assure yourselves and your Boards that the arrangements that apply in your organisations meet the policies and guidelines that have been provided in the past by the Department, and that there are robust procedures to ensure they are followed.

Nicholson's letter concludes: "I would be grateful if you would give close attention to these issues to ensure that public confidence in the NHS's protection of patient information is maintained."



Security in the NHS

16 Dec 07 14:12

It was only yesterday that someone (in a clinical area) was going to give me their login and password (to a clinical system) in order to look at an issue for them - when will these people learn that they have their own personal login and password FOR A REASON?

I honestly really don't think that the public sector will take start to take data protection seriously until some sort of legal action and claim for damages has actully been brought against an INDIVIDUAL.


disciplinary offence

17 Dec 07 14:12

I hope you raised that officially to the person's line manager - it's about time people realised just how inappropriate this behaviour is, and faced the £2,000+ fine and future employment problems after being prosecuted. I'm fed up with people whinging about the security issues inherent in the spine when they lose files, CDs and give out system access details without care for the consequences.

When are the local organisations going to take responsibility and properly educate and discipline their staff in this area? If bank staff acted with this kind of disregard for privacy, they'd be in serious trouble and people would be raising all kinds of hell.


Taking Responsibility of Data

21 Dec 07 00:12

Until very recently as being someone working in a PCT I asked a director who was leading a project with a drug company that was extrating data from GP systems, the question if he believed that there was appropriate information governance in place to ensure patient confidentiality. On being summonsed to his office to be told in a very forthright manner that he had a commercial contract in place and that was sufficient governance and not to question his judgement.

When the Inland Revenue data loss issue came to light the same Director was now becoming nervous of what he had in place and sort guidance from the Director of IM&T, something he should have listened to earlier.

What Directors in particular have to understand is that Information Goverance is probably the single most important thing that they are responsible for. And quite rightly measures are going to be put in place by central government to make senior managers accountable and if appropriate a jail sentance for lapses in governance.

Every Director who has a responsibility for data should take note and recognise their responsibilities in this important area.


disciplinary offence


22 Dec 07 00:12

In addition to the £2k maximum fine, breach of the Computer Misuse Act may also carry a sentence of up to 2 years imprisonment and under most Trust's disciplinary policies constitutes gross misconduct which may lead to summary dismissal on first offence. So hacking or giving away usernames and passwords is seen in law as more serious than the resulting loss of person-identifiable data.

Sadly, the current DPA doesn't include imprisonment in its list of permissible penalties - perhaps it should?


Slam! ....... goes the stable door .......

Link E-health-insider here

Meanwhile in Birmingham and Solihull ? Maybe we'll get back to you later about that ...

Two Trust Found Guilty of Data Loss : (HSJ Source)

  • Published: 23 January 2009 13:17
  • Author: Dave West

In the first case, a laptop carrying unencrypted data of around 5,000 patients, including health records, was stolen from premises of Abertawe Bro Morgannwg University trust, in South Wales, in April.

The Information Commissioner's Office said it was believed the computer was stolen by an opportunistic thief when an office was left unlocked.

The trust has signed an agreement with the commissioner to encrypt all data in future and improve security.

In the second case, Tees, Esk and Wear Valleys foundation trust lost a memory stick containing unencrypted personal information about patients and staff. The stick was passed to the media, prompting the trust to carry out its own investigation.

Appropriate measures

The organisation has agreed to use only encrypted data sticks, to put in place encryption policy and procedures and to ensure that external contractors are aware of the issues.

Assistant information commissioner Mick Gorrill said: "Even though one case involved the theft of a laptop, the data controller is responsible for ensuring any personal data is adequately protected.

"The Data Protection Act clearly states that organisations must take appropriate measures to ensure that personal information is kept secure."

Password protected

A statement from the Abertawe Bro Morgannwg trust said: "The theft took place outside of normal office hours, at a time when the offices would normally be unoccupied and the rooms locked.

"The laptop contained patient identifiable information, but this information was password protected. In addition, documents stored on the hard drive were also password protected."

The trust said it had taken a number of measures to improve security and encryption, however.

A spokesperson for Tees, Esk and Wear Valleys foundation trust said: "Safeguarding patients' confidential information is of the utmost importance to the trust.

"We have already put a number of measures in place to prevent something like this happening again and work to ensure that we comply with all the ICO's requirements is well under way."

Read the full enforcement rulings

No comments: