Index  ›  health  ›  BBC
health · BBC ↗

Lampeter practice 'breached' Data Protection Act

BBC Published Jun 3, 2010 Reviewed Jul 2, 2026 ✓ Reviewed by citations.press editors
Citation-ready fact
The Lampeter Medical Practice lost the details of 8,000 patients, including names and addresses, on an unencrypted, passwordless memory stick that failed to arrive at its destination.
8000 patients · patient personal details (names and addresses)
Information Commissioner's Office (ICO), privacy watchdog
View source ↗
Citation-ready fact
The memory stick contained the details of some 8,000 patients, but no clinical information.
about 8000 patients · patient personal details
Information Commissioner's Office (ICO)
View source ↗
Citation-ready fact
The incident occurred after a staff member downloaded a database onto an unencrypted, passwordless memory stick in contravention of practice policy, and posted it by recorded delivery in March; it failed to arrive.
1 staff member · staff member who violated policy
Information Commissioner's Office (ICO)
View source ↗
Citation-ready fact
The ICO stated it is unnecessarily risky to download 8,000 personal details onto a memory stick.
8000 personal details · personal details
Sally-Anne Poole, ICO enforcement group manager
View source ↗
Citation-ready fact
The remedial action includes ensuring all mobile devices—including laptops and memory sticks—are encrypted.
2 device types · mobile devices (laptops and memory sticks)
Information Commissioner's Office (ICO)
View source ↗
Citation-ready fact
The Hywel Dda Health Board reminded staff—including commissioners such as GP practices, pharmacists, dentists, and opticians—about the importance of patient data security.
4 categories of staff/commissioners · staff and commissioners
Hywel Dda Health Board
View source ↗

A medical practice which lost the details of 8,000 patients, including their names and addresses, beached the Data Protection Act, says a watchdog.

The information was stored on a memory stick that was lost in the post between the surgery in Lampeter, Ceredigion, and an NHS business services centre.

The Information Commissioner's Office (ICO), the privacy watchdog, said the practice had breached the act.

Hywel Dda Health Board said action was being taken to address procedures.

The memory stick was reported lost in March after a member of staff at the surgery had, in contravention of practice policy, downloaded a database onto an unencrypted memory stick, which was not password protected either, said the ICO.

The memory stick was then posted by recorded delivery to the Health Boards' Business Service Centre, but it failed to arrive. It contained the details of some 8,000 patients, but there was no clinical information.

The ICO said it found the practice to be in breach of the Data Protection Act.

Sally-Anne Poole, ICO enforcement group manager, said: "It is unnecessarily risky to download 8,000 personal details on to a memory stick.

"It is imperative that staff are made fully aware of an organisation's policy for securing personal data and any portable device containing personal information should always be encrypted to prevent it being accessed in the event of loss or theft.

"I am pleased Lampeter Medical Practice has agreed to take action to prevent a similar security breach happening again."

The ICO said Dr Rowena Mathew, the head of Lampeter Medical Practice, had agreed to take "remedial action by ensuring that sufficient steps are taken to ensure a security breach doesn't occur again".

The ICO added: "This includes ensuring all mobile devices including laptops and memory sticks are encrypted, ensuring physical security measures are sufficient and making staff fully aware of the organisation's data security policy."

The Hywel Dda Health Board said it had been working closely with Lampeter Medical Practice since the incident to ensure that "immediate corrective action was taken and to address practice procedures".

It added: "The health board has also reminded staff, including commissioners such as GP practices, pharmacists, dentists and opticians about the importance of patient data security and to reinforce the formal procedure for the safe transfer of patient data."

The medical practice apologised in March after it lost the patient details.

This article was originally published by BBC ↗. citations.press indexes the source-backed facts above and links to the original. Something wrong? Corrections policy · Report an error