EXCLUSIVE: Trusts fail to act on patient data loss
By Steve Nowottny
NHS bosses are repeatedly failing to take action against staff who lose personal records, breach patient confidentiality or access patient records without authorisation, a Pulse investigation reveals.
Findings obtained under the Freedom of Information Act from 47 PCTs, hospital trusts and NHS authorities show little or no action is being taken in the wake of dozens of security blunders.
The survey of trusts reveals there have been 188 reports of staff breaching data privacy rules or accessing patient data without authorisation since January 2007, and 75 reports of lost data.
Just 14 of 263 incidents were followed up with formal disciplinary action, generally a verbal or written warning. No trusts reported suspending or dismissing staff.
The incidents include major confidentiality breaches, with the theft of a laptop containing the bank details of thousands of staff at Royal Cornwall Hospitals NHS Trust, and a staff member at Norfolk and Norwich University Hospitals NHS Foundation Trust dumping 55 patients' ward handover notes in a domestic bin.
A number of trusts reported staff inappropriately accessing patient records ‘for purposes not related to healthcare'.
Lambeth PCT reported a folder with the names, photos and telephone numbers of children involved in a child obesity project had been left on the Tube.
Dozens of more minor breaches, such as stray faxes and confidential records being disposed of inappropriately, were also reported.
But when it came to investigating the incidents, most trusts reported they had simply advised the employees responsible of the correct procedures or sent them for ‘retraining'.
Data security experts said they were alarmed by the findings of the investigation, which follows calls from the NHS Confederation and the Health Select Committee for NHS trusts to crack down on staff responsible for confidentiality breaches.
Professor Ross Anderson, a security engineering expert at the University of Cambridge, said it was likely many more security breaches were going unreported.
‘Information governance structures are totally lacking,' he said. ‘There's an awful lot to be done in terms of operational security.'
‘The only way you can change behaviour is by means of carrots and sticks. If there are no carrots available, you have to use sticks.'
Sian Thomas, the joint director of NHS Employers who in June warned that trusts were not being tough enough on staff who misused patient records, said she was ‘unsurprised' by the findings.
‘I think you'd find this across most sectors, it's not just NHS organisations,' she said.
A Department of Health spokesperson said NHS chief executive David Nicholson had recently written to all senior health managers reminding them of their responsibilities with regard to data losses.
Trusts ‘are expected to take data losses extremely seriously,' she added.
But Conservative Shadow Health Minister Stephen O'Brien said: ‘This is yet more evidence of the Government's incompetence when it comes to keeping our personal information safe.'
‘Allowing patients' personal information to become available in this way is completely unacceptable, and yet we know that as per usual no minister will take the blame, and no one will be called to account. Alan Johnson must answer for this, the latest in a long line of Labour's data breaches.'
Dr Neil Bhatia, a GP in Yateley, Hampshire, warned the failure to punish security breaches would have knock-on implications for plans for the national rollout of the Summary Care Record.
‘Surely anyone who deliberately breaches a patient's confidence, such as looking up someone's record without any justification, should be dismissed,' he said. ‘It really is a licence to look up and steal data.'Trusts have failed to protect confidential patient data Trusts have failed to protect confidential patient data