Welsh medical practice loses details of 8,000 patients

A medical practice in Wales has reported to the Information Commissioner’s Office (ICO) that it has lost the personal details of 8,000 patients.

In March this year, a member of staff at the Lampeter Medical Practice downloaded the data onto an unencrypted memory stick.

The memory stick was posted via recorded delivery to the Health Boards Business Service Centre but never arrived.

This is a clear breach of the Data Protection Act, which states data must be processed and kept securely.

Sally-Anne Poole, ICO enforcement group manager said: “It is unnecessarily risky to download 8,000 personal details on to a memory stick.

“It is imperative that staff are made fully aware of an organisation’s policy for securing personal data and any portable device containing personal information should always be encrypted to prevent it being accessed in the event of loss or theft.”

Dr Rowena Mathew, head of the Lampeter practice, has agreed to take remedial action by ensuring sufficient steps are taken to stop another security breach occurring.

This includes ensuring all mobile devices including laptops and memory sticks are encrypted, ensuring physical security measures are sufficient and making staff fully aware of the organisations’ data security policy.

“I am pleased Lampeter Medical Practice has agreed to take action to prevent a similar security breach happening again,” said Ms Poole.