Hospital doctors are carrying 'hundreds of thousands of kilobytes' of sensitive and identifiable patient information around on memory sticks with no security protection, a survey has found.

The survey at a teaching hospital in London by two clinicians found that 92 out of 105 of the colleagues they surveyed held memory sticks. Seventy-nine sticks held confidential patient information but only five were password protected.

Writing on hsj.co.uk today the clinicians warn that this is a clear breach of data security and that unless "urgent action is taken" the NHS will soon add itself to the list of public sector organisations that have been at the centre of data security scandals.

Common behaviour

They claim that although the survey took place at just one hospital, there is "no reason why this lack of security would not be mirrored in surveys across every hospital in the UK and beyond".

One of the authors - a surgical registrar - told HSJ the information included patient names and dates of birth alongside information such as x-ray results, diagnoses, and treatment details.

"Traditionally this would be in doctors' notebooks and loss of that would be a breach of data security but now the problem is that people have hundreds of thousands of kilobytes of patient information which gets put on these sticks and carried around."

Although trusts issue staff with secure chip and pin cards to access NHS databases and patient records, the cards cannot themselves be used to store data. Clinicians carry their own memory sticks to use the data for research or reference.

Unacceptable breach

A Department of Health spokesperson said: "Any breach of patient security is unacceptable. We would urge HSJ to provide details of the survey to the relevant trust so they can take appropriate action to protect patient confidentiality."

"The NHS locally has legal responsibility to comply with data protection rules. The department issues guidance to all branches of the NHS on information governance, including data protection."

In May, NHS chief executive David Nicholson wrote to senior NHS managers to remind them of their responsibilities.

See Data protection in the NHS - a ticking time bomb?