Data security lapses endemic in NHS, investigation reveals
By Steve Nowottny
EXCLUSIVE: Four NHS trusts in five have lost patient data or suffered a data security breach since the beginning of last year, Pulse can reveal.
Our investigation reveals the true scale of confidentiality breaches within the NHS, with trusts reporting more than 1,300 incidents since January 2007.
GPs warned the findings would further undermine confidence in plans for electronic care records, with many of the data breaches involving NHS IT.
Figures obtained the Freedom of Information Act from 162 PCTs, hospital trusts and NHS authorities showed that there had been 557 incidents of lost data and 794 breaches of confidentiality over the time period.
Just 32 out of 162 trusts surveyed said they had not had a data loss or security breach incident.
The Healthcare Commission admitted an employee had emailed copies of confidential files to themselves and, having resigned, could not subsequently be traced.
A number of trusts also reported cases of staff accessing confidential data for their own reasons, with Southampton University Hospitals NHS Trust admitting an employee had been caught changing her ex-husband's records.
Staff at Northampton General Hospital NHS Trust were disciplined after posting ‘inappropriate' pictures of a patient on Facebook.
One PCT even managed to commit a fresh security breach in the process of replying to Pulse's Freedom of Information request, sending us the names of patients whose records had been lost.
Many serious incidents appear to be going unpublicised and unpunished, as Pulse has recently revealed, with trusts revealing dozens of incidents for the first time.
Dr Grant Ingrams, appointed last week as the new chair of the GPC IT subcommittee, said it was vital NHS trusts cleaned up their information governance procedures ahead of the care records rollout.
‘It's not appropriate just to say ‘naughty boy' – if something happens in a trust there must be quite draconian action taken against the person who's done it,' he said.
‘With some of these PCTs if you put all their information governance policies together you've got a book several inches thick - but if no-one actually knows it, and no-one actually keeps to it then there's no point.'
Dr Chris Frith, a GP in Hereford, said: ‘All breaches of confidentiality, electronic or otherwise, have a subtle detrimental effect on the patient's trust of their clinicians.'Pulse investigation reveals catalogue of shocking patient data breaches Pulse investigation reveals full extent of data breaches Data breach dossier
Southampton University Hospitals NHS Trust
A staff member was disciplined in January 2007 after accessing and then changing her ex-husbands records.
Northampton General Hospital NHS Trust
An ‘inappropriate' picture of a patient at the hospital was put on the social networking website Facebook. The staff members responsible were reportedly disciplined, although the hospital refused to specify the action taken.
A Healthcare Commission employee removed without permission five letters with the names and addresses of complainants and patients in December 2007. The staff member had resigned from the organisation on the same evening, and a subsequent investigation found the culprit could not be traced.
A staff member at a GP surgery accessed a patient's medical record to obtain his telephone number, then used it to contact the patient for ‘personal reasons not related to health.' The PCT refused to say if any disciplinary action had been taken, saying it would be a ‘breach of personal privacy.'
In June 2007 a weekend worksheet with a list of patient names, addresses and telephone numbers was lost after it ‘blew out of a car window'. Letters were immediately sent and hand-delivered to the patients concerned.
Northern Devon Healthcare Trust
Last October, an employee of a catering company contracted by the trust took a photo with his mobile phone of a dying patient in a bed and posted it on a website. The employee was subsequently dismissed.
Lancashire Teaching NHS Foundation Trust
In February, a staff member stole a ‘small number' of patient letters containing appointment clinic details. Patients were notified and the police and Information Commissioner informed – but the staff member was ‘counselled' rather than being disciplined.
In February, when the PCT relocated its smoking cessation service into its headquarters, 6,000 records containing patient names, addresses and in some cases national insurance or NHS numbers were lost in the move. The PCT decided not to inform the patients their records had been lost as ‘we do not believe they are in the public domain.'
City and Hackney PCT
In the process of replying to Pulse's Freedom of Information request, the PCT managed to commit a fresh security breach, sending Pulse the names of patients whose records had been lost. The PCT reported a total of 7 incidents of lost data or confidentiality breaches – now 8.