Home News

Doctors' memory sticks threaten data security

Data protection rules are being regularly breached

Data protection rules are being regularly breached

Hospital doctors are carrying "hundreds of thousands of kilobytes" of sensitive and identifiable patient information around on memory sticks with no security protection, a survey has found.

The survey at a teaching hospital in London by two clinicians found that 92 out of 105 of the colleagues they surveyed held memory sticks. Seventy-nine sticks held confidential patient information but only five were password protected.

"People have hundreds of thousands of kilobytes of patient information on these sticks"


Writing on hsj.co.uk today the clinicians warn that this is a clear breach of data security and that unless "urgent action is taken" the NHS will soon add itself to the list of public sector organisations that have been at the centre of data security scandals.

Common behaviour

They claim that although the survey took place at just one hospital, there is "no reason why this lack of security would not be mirrored in surveys across every hospital in the UK and beyond".

One of the authors - a surgical registrar - told HSJ the information included patient names and dates of birth alongside information such as x-ray results, diagnoses, and treatment details.

"Traditionally this would be in doctors' notebooks and loss of that would be a breach of data security but now the problem is that people have hundreds of thousands of kilobytes of patient information which gets put on these sticks and carried around."

Although trusts issue staff with secure chip and pin cards to access NHS databases and patient records, the cards cannot themselves be used to store data. Clinicians carry their own memory sticks to use the data for research or reference.

Unacceptable breach

A Department of Health spokesperson said: "Any breach of patient security is unacceptable. We would urge HSJ to provide details of the survey to the relevant trust so they can take appropriate action to protect patient confidentiality."

"The NHS locally has legal responsibility to comply with data protection rules. The department issues guidance to all branches of the NHS on information governance, including data protection."

In May, NHS chief executive David Nicholson wrote to senior NHS managers to remind them of their responsibilities.

See Data protection in the NHS - a ticking time bomb?


Please note: In order to post a response you need to be registered on the site. You can register here.

Reader Response

Added: Friday, 5 September 2008 15:38 BST
Anonymous, Derby, United Kingdom

As a Head of IT Services at a hospital trust i am concerned with this article. We have invested heavily in encrypted data sticks for all our staff who require data sticks including doctors. Although we recommend and our policy states that users should not carry personal or sensitive data on mobile devices, we know they do, which is why we have invested.

This should not take away the individuals responsibility for protecting data, this is where the real problem lies. Attitudes need to change.


Alert if offensive or unsuitable

Sign up to Board Talk | Acute care | Clinical Leaders |