NHS Lothian staff member loses patient data

 member of NHS Lothian staff has reported their loss of a USB memory stick possibly containing letters with personal information of 137 patients. The information had been stored by the member in breach of clear and widely communicated regulations that prohibit the storing of NHS information on personal portable computing devices. Management took immediate action to start identifying the extent of the data loss as soon as this was reported and all patients are now being contacted and invited to have face-to-face meetings with an appropriate NHS healthcare professional. A helpline has also been set up for these patients and they are being offered full support and advice.

There is no evidence that the data stick has been stolen or any information disclosed.

Peter Gabbitas, NHS Lothian’s director of health and social care said:

“A member of staff has reported losing a memory stick of their own which they were using to store information about patients. It’s important to remember that the staff member came to us of their own volition to advise us of this contravention of our policy. The staff member has been active in helping us minimise the impact on these patients. “Any threat to patient confidentiality is very serious and management took action as soon as they were informed.
“Our own IT security specialists were called in and a special investigation team which included highly experienced doctors and nurses was formed to identify every patient whose confidentiality may be at risk. “The team has worked tirelessly since this was reported, including through the weekend, to assess the extent of the problem and so we could start contacting patients to explain the situation and offer support and guidance.


“At the same time the premises where the staff member was based were thoroughly searched.
“As soon as reasonable efforts to find the device had been exhausted NHS Lothian contacted the police.
“The information commissioner was also fully informed about the loss.
“I would like to take this opportunity to apologise again to the patients involved and to emphasise that we are doing all we can to resolve the situation.”


Due to the nature of the data loss the process of identifying the patients took several days but NHS Lothian is confident that this has been successfully achieved by reviewing the caseload and case notes of the member of staff concerned.



The member of staff has been subject to NHS Lothian’s employee conduct policy and has acknowledged their contravention of NHS Lothian’s policy on data protection and storing sensitive information on personal portable computer devices.


A letter has been sent to all staff and further information placed on NHS Lothian’s intranet reminding all staff of the seriousness of data misuse and the importance we attach to safeguarding confidentiality of patient information.
3 July 2008