Poor ICT security leads to NHS data breach

20 April 2011

NHS Birmingham East and North has broken data laws after failing to restrict access to files on their ICT network, the Information Commissioner's Office has said.

Inadequate file security was said to have led to the breach, where staff at NHS Birmingham East and North and two other NHS trusts were given access to restricted material.

Information relating to thousands of people, including members of staff, was contained in the files, and though the ICO found that health records were not compromised, it said high level patient information was amongst the data.

"It's vitally important that IT networks storing personal information have robust security measures in place," said Sally-Anne Poole the ICO's acting head of enforcement.

"Whilst nobody outside of the trust environment was able to access the files, problems with the security of the network still led to a situation where sensitive information was potentially available to NHS staff that did not need it to carry out their daily role."

Poole was however pleased NHS Birmingham East and North had agreed to improve network security and review personal data handling processes.

The trust's chief executive, Denise McLellan, signed an undertaking that adequate technical security measures would be put in place to prevent unauthorised access to personal data.