A secretary acting outside the rules was the cause of a serious breach in data security and patient confidentiality at Bradford Teaching Hospitals, an investigation has found.

However, findings also highlight a number of other factors that contributed to the incident, including:

  • a delay in issuing encrypted memory sticks to staff
  • a lack of detailed knowledge and understanding of the policy among staff in the hospital department involved
  • and a gap in the induction process for new employees meaning medical secretaries routinely worked from home.
  • The findings have prompted the introduction of a raft of extra safeguards across Bradford’s hospitals to prevent staff taking patient data off-site and not keeping it fully secure.

It follows an investigation by Bradford Teaching Hospitals NHS Foundation Trust after a secretary lost a computer memory device in the library of Leeds Metropolitan University, where she was also a student, on April 21.

She inserted the unencrypted memory stick containing patient letters and waiting list data into a computer and forgot to get it out when she left.

As soon as the memory stick was reported missing, the Trust apologised to all 5,650 patients whose details may have been stored on the device and launched an immediate investigation into the circumstances. They also introduced a telephone information line which received more than 1,000 calls from worried patients.

The inquiry concluded that the member of staff breached established procedures by using an unencrypted memory stick for storing patient-identifiable data, and taking it off-site.

The member of staff no longer works at the Foundation Trust and despite an extensive search, the memory stick has never been found.

Chief executive, Miles Scott, said: “It is essential we protect patient confidentiality and I am very sorry that our established procedures were not followed in this case.

“While there is no suggestion that the policy was inadequate, we do recognise that there are wider issues about how the policy may have been shared with staff and how it was implemented.

“One of the lessons learned from the inquiry is that there needs to be a greater focus on this and it forms an important part of our action plan. All our efforts are now focused on doing whatever we can to strengthen and improve our systems and procedures for maintaining patient confidentiality right across the Foundation Trust.

“We are determined to learn whatever lessons we can from this incident – and the swift action we have taken shows how seriously we are taking it.

“We have already introduced a raft of improvements across both hospitals and will explore every possible way of tightening these safeguards in the future.”

New security measures are spearheaded by the issuing of encrypted memory sticks to 300 members of staff, each protected by a secret password.

Other improvements include:

  • a total ban placed on the use of all other memory sticks throughout the organisation
  • modifying desktop computers so only those memory devices which are authorised and encrypted can be used in them
  • mandatory use of passwords for users of BlackBerries and other similar handheld devices used to send emails and access the internet
  • a ban on the regular forwarding of emails to and from personal email addresses which are not part of the secured NHS system
  • a requirement for all wards and departments to review their approach to the safe storage of patient data on a monthly basis
  • the cascade of detailed guidance to all staff setting out the importance of data security and their responsibilities in ensuring patient information remains confidential
  • In addition, data security experts from PriceWaterhouseCooper will assess the range of safeguards that are now in place and ensure they comply with the very best practice in the NHS. They will also advise on any further action that can be taken to strengthen the arrangements further.