Student's flimsy bin bags blamed for latest NHS data breach A data protection gaffe affecting the UK's NHS is being pinned on a medical student who placed too much trust in their bin bags. An investigation was launched following the discovery of confidential medical data sprawled across a back alley in Jesmond, a pricier suburb of Newcastle in the North East of England. The medical …
Worst case, this will come in handy for the medical student struggling with anatomy.
https://supersimple.com/free-printables/skeleton-dance-worksheet-fill-in-the-blanks/
Icon: Head bone
Sir Lancelot Spratt would probably have a few choice words to say to this medic
"The worrying thing is whether the medical training was retained any better."
The medical training is theory taught in lectures and regurgitated in essays, then tested (more than once) for retention, then demonstrated in a practical setting, then performed by the student over and over until they get it right. The Information Governance training is a leaflet.
I even shred my junk mail. The pity is there's not so much of that anymore. It's a great way to dilute the value of anything else I've put through the shredder. The stack is getting big enough for a big shred pretty soon. I made an adapter so I can shred straight into a big bin rather than the tiny little thing that the shredder comes with and I can do 3-4 months worth in 15-20 minutes, bag it and pour in the pulsating masses accumulating in the back of the fridge, give it a good shake so everything is well coated and put that in the wheelie bin the night before trash day.
> Even if the bags did rip, why had the documents not gone through a cross-cut shredder?
Exactly this.
I was once a temp in a [paper] health records library, over twenty years on I still recall the rules we had to work under (and I expect in this post-GDPR world they've got much stronger)
Knowing a few medical students as I do, many come across as arrogant "rules are for plebs" types. You know, just like the Marketing Director types who insist on forwarding business emails to their personal account so that they can "access them more easily while travelling" because the VPN is too much hassle. Or the politician who ignored the instruction to replace their SIM yet allowed the kids to run up a £15k bill watching football.
It's not stupidity. It's arrogance. And in my experience they will never accept that they are in any way to blame.
Yes, I'm in a bad mood after being reminded of the idiots I've had to work with.
"Knowing a few medical students as I do, many come across as arrogant "rules are for plebs" types"
I'd hesitate to say "many", but I'd agree to a good extent. My daughter's a 3rd year med student, and she's encountered all manner of lazy entitlement and misbehaviour from a minority of the course. The standards for admission are too heavily biased towards excellent high school grades, the medical schools themselves arrogantly write off many people who would be excellent candidates and prefer people with excellent grades but without either the commitment to such a hard course, or the integrity or empathy to make good doctors. The course then has high drop out rates.
An interesting rule of thumb appears to be that if somebody has wealthy parents, they'll be a very poor choice as a medical student.
It is both stupidity and arrogance, aka the Dunning-Kruger effect.
After a little exposure to the hospital system, a medical student's first familiarity is sometimes internalised as mastery, the "I've got this sorted" attitude. It's often only when they have to earn a living and bear responsibility for the consequences of doing the job that they realise how hard it actually is. Sadly that sort of experience often comes through mistakes. This in a job where small mistakes can be catastrophic. The supervision of seniors, colleagues, & nurses is all that forms a safety net, and those colleagues have enough decisions of their own to make, and can't check every decision. How much the colleagues care about the training of their juniors is also very variable.
I came here to post exactly this. Heads should roll, and not necessary the easy-to-blame student. This stuff never should have left the patient file or the doctor's desk without passing through the shredder. This shit is the basics. If they can't get that right, what else are they screwing up? Flinging X-rays to each other using Dropbox, perhaps?
Exactly. Why was a student allowed to take confidential hard-copy home?The process is failing in that respect. Any confidential documents taken off site should be in electronic form on an institution owned, encrypted laptop at worst, and ideally only accessed from home over a VPN and never stored locally on the laptop.
> Flinging X-rays to each other using Dropbox, perhaps?
That would be good, some of the stuff my late brother received (his specialisation was paediatric pathology) was email attachments sent to his personal account…His frustration (with the outcry in the 90s over retained tissue samples) was that everything he was trying to do was to save lives, it wasn’t some macabre fetish; partly as a result of his work he never had children of his own, but was a good uncle; to him the abnormal child was the one that was normal.
As we don't know the underlying situation I'd be reluctant to accept some of the assumptions here. As a student the case notes might be part of an exercise taken home to work write up there. Cross cut shreds wouldn't be much use there and suitable shredders aren't going to be part of student digs furnishings. It's the thought that they should be disposed on in this way that's worrying.
TFA did specifically say training was given. Experience is a dear teacher but there are those who will learn at no other. I hope we can take it that this student has finally learned.
The fundamental problem, as a previous commenter has noted is Information Governance.
The law has focused more on the rights to access with the security of retention and handling being left to GDPR, so I suspect medics don’t really value the information and handle accordingly, in the way someone who has to deal with Classified documents, that are covered by the Official Secrets Act handles “Confidential” documents.
"Cross cut shreds wouldn't be much use there and suitable shredders aren't going to be part of student digs furnishings."
A recent estate sale I attended had a shredder that I considered but since I really didn't need another one, I passed it by. Turns out the deceased owner had used the bottom to secret about $80k in cash and another $20k in gold coins. It was found by the auction staff when they were doing a clean out of the property and somebody noticed it was quite heavy. I could have had it for $1.
I have a feeling that the entire of Newcastle University’s medical school should do some shredding training. Like 1000 pages a day through a cross cut shredder that can only take max 10 pages at a time.
Seriously, this information breach is inexcusable in today’s day and age. I am a physician and have given handovers to junior doctors for on calls, but rules were that the paper sheet did not leave the hospital and were shredded as soon as out of date on the ward shredder. Would love to say that the EHR would mean a no paper copy would be possible, but our EHR has some uptime issues so paper is the fall-back plan.
The ICO is going to have sanctions on both the hospital and the University.
> mot of these papers shouldnt have been printed in the first place
Trouble is the tools available to read such materials haven’t really evolved from the first e-reader, even PDF readers haven’t really improved, with respect to the reading experience.
My daughter for her dissertation had 29 paper books on the go, all with post it notes, and scattered across her room in meaningful groups, try replicating that ease of access with a computer…
"WIth all the billions everything should be available online there should be no need for doctors to print to share anything with another doctor."
If you are doing case studies and want to compare data, it can be easier to have hard copy. It doesn't need power to tech to run on. I don't think limited quantities of data are all that valuable to anybody but a highly specialized collector and they will want the data in digital form and large quantities. The big problem is that the person is showing carelessness when it comes to proper procedure and that could lead to a serious breach.
FIrst of all very few doctors do case studies, so how about you actually address the majority use case that affects the vast mjoarity of doctors.
For the vast majority there they shoudl be able to function without hard copies. Even for case studies and similar aggregations it shouldnt be rocket science to provide support for tagging multiple reports and then make them available in a ipad or kindle type device for "off-line" reading.
"but rules were that the paper sheet did not leave the hospital and were shredded as soon as out of date on the ward shredder."
There are companies that have mobile shredders that will reduce tons of paper to confetti in short order. That's going to be cheaper and cleaner than having a properly secure shredder on every ward. It might be better to have a secure box to store paperwork that needs shredding where a member of staff takes it away to central storage until the shredder truck comes around periodically. A good policy is that every piece of paper gets shredded rather than having anybody deciding what does and doesn't.
If this behaviour were demonstrated in a qualified doctor, it would bring a rebuke and corrective training from the registration authority in the first instance. Continued failure to observe ethical standards of confidentiality would see you deregistered.
I don't believe there are reasons a medical student could justify taking medical record information out of the hospital.
The NHS Trust will be more concerned about procurement costs as they will have signed a confidential waste, clinical waste, general waste and laundry contract that works by number of bags collected as opposed to weight…. so behaviour is coerced into ramming as many bags into one as possible.
This. Even at my employer, that isn't in the medical field, we deal with confidential engineering/company data better. Sensitive documents go in the designated (locked) bins, with a narrow slot with a lid so it's hard to retrieve anything from them. The bin then gets processed by a dedicated company (the contents is incinerated).
"Do not throw away sensitive documents in the normal trash" should be an absolute and simple rule that even med-students could follow.
At my old address, many decades ago, I would tidy up the back alley. One week was a mess. Papers everywhere from one of the neighbours' bin bags, liberated by the local felines. Had a look at them as I assembled them to rebag. Details of arms deals - enough to invade a small island. Lists of weapons from some of the countries the Foreign Office no longer send Christmas cards to.
As this was when the [original] IRA were active, handed them in to the local plods. Heard nothing back. No cops visited the area. Presumably it was his legit side hustle. Who knows what your neighbours are up to on the sly?
Hasn't the UK completed the wheelie-bin transition yet? In garbage terms, the Pivot to Lids.
"In garbage terms, the Pivot to Lids."
Where I live, the wind can catch the lids and then the ravens have a go at the bags to see if there is anything interesting. Trash everywhere. If the lids on the bigger dumpsters are left open, the ravens will climb in and toss out anything they don't want as they dig. I'd rather have raccoons (trash pandas).
> The medical student is thought to have thrown the documents into their domestic waste, which was placed outside for collection.
And no doubt contained food waste that the local foxes smelled.
Though why a student had taken confidential documents away from their workplace is a question worth asking.
Back in my youth as a dogsbody cashier in a high street bank all waste with any confidential information had to go into dedicated confi waste bins.
This wasn't just an information leaflet that was sent out and forgotten about; they would randomly check your non-confi bin a few times a week and if you got caught with so much as a first name written on a piece of paper you were fucked.
Actually taking this information out of the building with you to an unsecure location? fugeddabowdit
Even 20 years after i left that place I can't bin so much as an envelope without cross-shredding it first and putting into the compost. the training is just that ingrained into my soul
Actually a few years ago i caught a smackhead doing the rounds of the recycling bins kerbside one week. Chased him off and called the coppers out on him, but it suddenly all seemed worthwhile that I knew my stuff was just generic packaging
...this is a system process / management failure
Why was this in printed format?
Why did the student have to take it off site?
Why was the student allowed to take it off site?
If it's for training, why not have dummy data or a VPN access in to a secure enclave?
And as for "Case closed". Nope. You've still broken GDPR. It's not for you to decide it's all done and dusted.
Don’t disagree about the potential sensitivity, but don’t expect GDPR or the DPA to offer any protection.
“ In legal terms, the General Data Protection Regulation (GDPR) and the Data Protection Act no longer applies to identifiable data that relate to a person once they have died.”
[ https://www.hra-decisiontools.org.uk/consent/principles-deceased.html ]
The document is worth reading, as it also cover wider medical consent. The pre-op consent for a cochlea implant at Addenbrookes also includes the use of video and photographs, something that is missing from the reference I give here.
I feel that too many people here are after the managers, when it's obviously the person who actually took the stuff home then left it lying around that's to blame.
I have no love for managers generally, but at some point they still have to trust the actual people to use the actual shredder.
University students don't get offered the IT system that the doctors employed by the NHS Trust get to use. Typically, because the Trust will pay the costs for the Computer on Wheels (COWs) workstation for staff or PC tablets as they are productive for the NHS, but students do not meet that criteria. Many hospital electronic health records (EHRs) in the UK are based around EPIC or Cerner (/Oracle) Millenium and are Windows-based, with all the UI and keyboard/mouse issues that causes.
It was a student that caused the information breach.
Lol.
The first head that should roll is the person in charge of data security. There is no need for people to be taking patients data off-site and beyond the network boundaries. It's not 1970. This is beyond lax and falls far below the standard a reasonably competent person would expect.
It shouldn't have been possible for the student to mess up this badly.
For the student a last and final with a clear understanding that any further casual attitudes to patient data will result in dismissal.
There's no excuse for this and hopefully everyone here knows it.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
