ICO Fines Nursing Home Over Data Breach

Written by

The Information Commissioner’s Office (ICO) has fined a Northern Irish nursing home £15,000 for failing to adequately protect sensitive data.

The ICO’s report found “widespread systemic failings in data protection” at the time the breach took place at the Whitehead Nursing Group, based in County Antrim.

The breach occurred in August 2014 when an employee took home an unencrypted laptop belonging to the nursing home, which was subsequently stolen during a burglary. The theft was reported to police but the laptop has yet to be recovered.

The laptop contained personal details relating to 46 members of staff, including reasons for sickness absence, medical certificates and information about disciplinary matters. Sensitive personal information relating to 29 residents of the nursing home was also exposed, including name, date of birth, mental and physical health information and ‘do not attempt to resuscitate’ status.

The nursing home had no policies in place governing the use of encryption, and provided no guidance or training regarding security awareness for homeworkers or for using mobile devices such as laptops, the ICO’s report said.

Ken Macdonald, Head of ICO Regions, said: “This nursing home put its employees and residents at risk by failing to follow basic procedures to properly manage and look after the personal information in its care.”

"Our investigation revealed major flaws in the nursing home’s approach to data protection. Employees would have expected any details about disciplinary matters or their state of health to have been kept safe,” he added. “Likewise, residents would not have expected their confidential information to have been stored on an unprotected laptop and taken to an employee’s home. Whitehead Nursing Home had totally inadequate provisions for IT security and procedure and poor data protection training.”

The ICO added that a larger organization would expect to receive a bigger fine than Whitehead Nursing Home.

“Today’s fine shows we can and will act against any organisation we feel is not taking seriously its duty to look after the personal details it has been entrusted with. In a world where personal information is increasingly valuable, it is even more important to ensure the security of data is not overlooked,” Macdonald added.

Photo © Photographee.eu

What’s hot on Infosecurity Magazine?