Think the United States has its problems with securing patient health information?
We’re not alone.
London Health Programmes, a medical research organization based at the NHS North Central London health authority, has reported missing an unencrypted laptop containing information of 8.63 million patients and 18 million hospital visits, operations and procedures, according to today’s issue of The Sun.
The data does not include names, “but patients could be identified from postcodes and details such as gender, age and ethnic origin,” according to the newspaper. Information on the laptop included records of cancer, HIV, mental illness and abortions.
The computer was one of 20 lost, and officials have since recovered eight. The research organization “only just” reported the missing laptops to police although they went missing three weeks ago, according to the newspaper.
The Information Commissioner’s Office, Great Britain’s independent authority that promotes data privacy for individuals, has issued a statement regarding the laptop theft:
“Any allegation that sensitive personal information has been compromised is concerning and we will now make inquiries to establish the full facts of this alleged data breach.”
That British authority has been busy this month in terms of protecting private information, according to press releases on its website:
- June 14 – ICO tells CCTV website Internet Eyes to make changes following privacy concerns. Involves a complaint about a clip posted on the video sharing website YouTube that contained an identifiable image of a person in a shop.
- June 10 – Customer data thieves made to pay. Involves two former employees of UK mobile operator T-Mobile who illegally stole and sold select customer data from the company in 2008.
- June 9 – ICO issues monetary penalty over misdirected emails. Involves a breach of the Data Protection Act after sensitive personal information was e-mailed to the wrong recipients on three separate occasions.
- June 8 – Sensitive information stolen from council worker’s unlocked bag. Involves the theft of a home support worker’s bag containing papers which included sensitive personal information.
- June 1 – Personal injury worker prosecuted for illegally obtaining patients’ details. Involves a personal injury claims company employee who illegally obtained NHS patients’ information over a four-month period.
Health information breaches have taken center stage since President Obama signed into law the HITECH Act in February of 2009. It included a provision that allows government enforcers to publicize reports from healthcare entities suffering a breach that affects 500 or more individuals; their information appears on the website of the Office for Civil Rights (OCR), the HIPAA privacy and security rule enforcer.
The breach reported in Great Britain this week towers over the largest reported patient health information breach in the United States in terms of number of individuals affected — by nearly 7 million.
Health insurance giant Health Net, Inc. earned the top spot after it reported its potential breach affecting the health records of 1.9 million past and current enrollees to OCR in March. On the Health Net report, the “type of breach” is “unknown,” and the “location of breached info” is listed as “other.”
Since OCR began posting such information in February 2010, the list has grown to 288 reports.