The laptops that went missing in May from a store room at London Health Programmes, based at the NHS North Central London health authority, had unused encryption software in them, according to a report by SearchSecurity.co.uk.
Earlier this week, The Sun reported that a laptop containing hospital records of 8.63 million people has gone missing. The laptop was one of 20 that have gone missing and eight have been recovered so far. The loss occurred about four weeks ago but was reported to the police recently, according to the report.
Now, according to a report by SearchSecurity.co.uk, it is revealed that the laptops had encryption software in them, but were left unused.
Taunton-based Data Encryption Systems managing director David Tomlinson told SearchSecurity.co.uk that the NHS has a licence from McAfee to run its software, including the SafeBoot disk encryption, on all its computers.
Tomlinson added, "If someone wasn’t encrypting their laptops, questions should be asked because they’ve paid for [the encryption]."
It is believed that the missing laptop contained sensitive details of 8.63 million people as well as records of 18 million hospital visits, operations and procedures.
Although the missing data does not include names it does contain postcodes and details such as gender, age and ethnic origin, according to The Sun. Details of cancer, HIV, mental illness and abortions were also contain in the records.
Information contained on the laptop was not encrypted, which Nick Lowe of security firm Check Point described as "essential" to safeguard personal records.
"The scale of this potential data loss drives home just how essential it is to have mandatory, strong encryption on all sensitive, personal on laptops and portable storage devices – even if those devices are stored in supposedly secure areas within buildings. Less than half of all UK firms encrypt their laptops, so data security is still being mostly left to chance," he said.
The Information Commissioner’s Office (ICO) is looking into the matter.
An ICO spokesperson has said, "Any allegation that sensitive personal information has been compromised is concerning and we will now make enquiries to establish the full facts of this alleged data breach."
