Data on 160,000 children lost by London hospital

I'm fairly sure these kinds of data losses are not new but in the wake of the HMRC debacle they have become temporarily newsworthy. The latest, via Ideal Government. I hope Ruth Kennedy won't mind me quoting her in full:

"That-paper-which-now-looks-really-heavyweight-in-comparison-to-all -the-freebie-showbiz-gossip-rags reports tonight that the personal details of 160,000 children have been lost at a London hospital in a fresh blunder over confidential information.

A computer disc containing the data was sent to St Leonard’s Hospital in Hackney but failed to reach the right department - even though it was signed for by hospital staff. The disc contained the names, dates of birth and addresses of 160,000 children and there were fears the information could be enough for criminals to create fake identities. The blunder occurred when the disc was sent by courier to the Hackney hospital by BT, which operates the NHS’s IT system, on 14 November. It is believed the courier company used by BT did not check that it was signed for by the correct person and the disc never reached its intended destination in the IT department.

A spokeswoman for City and Hackney Primary Care Trust, which runs St Leonard’s Hospital, said “BT couriered a fully encrypted disc containing patient information to City and Hackney PCT. “It was not received by the named recipient, and attempts by the PCT to find the disc have so far failed. All deliveries of personal information have been suspended in light of the breach.” BT today called for parents to remain calm over the latest incident. A spokesman said: “Patients should not be concerned because BT uses the highest levels of security to safeguard the data in its care.

[Er… short of making sure that it or its representatives only hands over the data to the person who is supposed to receive it?]

“All NHS data sent by disc is fully encrypted to industry standards. We apply stringent controls in managing the complex encryption pass phrases necessary for unlocking the data. In this instance the encryption pass phrase would only have been released after one of two named individuals confirmed receipt. This was not confirmed so the encryption pass phrase has not been issued.

Ah… we can relax then. (Though the Standard worries that even 256-bit encryption has recently been shown by researchers to be crackable in two weeks...)

All this attention on missing data is not unhelpful in drawing ordinary people’s attention to a) the volume and frequency of personal data transfers and b) the potential value of their personal data. That’s not a bad thing - probably more effective than a fancy public service advertising campaign. Ruth Carnall, chief executive of NHS London, has asked for an independent review of all NHS data transfer in London. WIBBI all these emergency reviews encompassed a really citizen-centric cost-benefit analysis of centralised data systems. "