A report from the Information Commissioner’s Office (ICO) has revealed that as many as 10,000 NHS patients have had their data leaked in a breach at Birmingham-based Diagnostic Health.
The company, which carries out ultrasound scans for the NHS, said it had voluntarily suspended services.
The ICO refused to show the report to the media, but a leaked copy revealed that Diagnostic Health was aware it was breaching data protection guidelines on 26 June 2013 but continue to add to the affected database until 22 July.
The audit carried out by the ICO revealed a stolen laptop that hadn’t been report to the information commissioner. It was also discovered that staff use the same password to access a web-based storage service.
The data controller at University Hospital Birmingham, Daniel Ray, said he was shocked by the findings and that there was a secure electronic system, called N3, that should be used to send all patient data.
“I think that it is extremely sad and I would be shocked that patient records were on the Google drive. That is not how NHS patient records should be handled,” he said.