Information obtained by the medical journal Pulse under the Freedom of Information Act shows that at least 4000 NHS staff smart cards have been reported missing since their introduction, but the journal estimates from other data that the total is probably nearer six thousand, reporting that "one trust in 10 admitted it had no idea how many cards had been lost or stolen". Worryingly, Pulse also states that "In almost every case, lost or stolen smartcards were reissued automatically without investigation, and no disciplinary action has been taken against any staff member".
That is be bad enough in its own right, but in a comment on the Pulse report, general practitioner and medical privacy activist Dr. Neil Bhatia points out that the cards are issued with a standard default PIN. Considering that Connecting for Health has admitted to over a hundred stolen cards, the risk of medical records being leaked is considerable, and this is the personal data that most people consider most sensitive. Dr. Bhatia is one of a growing body of GPs who have campaigned vigorously against the NHS centralised patient records database, which has been under development for several years amid continuing controversy. The government believes that it will improve efficiency and has also suggested it will save lives, as it would make a patient's records available at any hospital or surgery in the country. But the proposed level of access – well over a million medical and non-medical NHS staff and outsourcers – has raised serious concerns. The Pulse report quotes security specialist Professor Ross Anderson saying "You can't expect stuff to remain confidential if a few hundred thousand people have access", and a recent poll by the British Medical Association revealed that nine out of ten GPs have no confidence in the security of the database. They believe the proposed system cannot be trusted not to leak patient data, and indeed the NHS has been guilty of a serious data leak of junior doctors' data in the recent past. It would seem therefore that there are excellent grounds for believing the security will indeed be inadequate.
Missing NHS smart cards can in principle be cancelled before much damage occurs provided the loss gets reported swiftly, and a properly enforced policy of changing the default PIN would further minimise the damage. They may therefore prove to be the least of our concerns. We must ask how lost or stolen National Identity Cards, which will include biometric information, will be cancelled when they also inevitably go walkabout in large numbers? Changing a PIN is easy, but by what conceivable mechanism are victims of identitiy card theft expected to change their fingerprints and iris patterns?