Cookie policy notice

By continuing to use this site you agree to our cookies policy below:
Since 26 May 2011, the law now states that cookies on websites can ony be used with your specific consent. Cookies allow us to ensure that you enjoy the best browsing experience.

This site is intended for health professionals only

At the heart of general practice since 1960

NHS patient data serious incidents doubled since Capita contract

There was a 'significant increase' in patient information being dropped, accidentally left behind or sent to the wrong location after the NHS outsourced functions to Capita.

In 2016/17, one year after NHS England entered into the new primary care support services contract, around 700 patients were affected by inadvertent disclosure of their information - although in most cases items were discovered by, or handed into, GP practices unopened.

In all, 12 of the 18 Serious Incidents Requiring Investigation reported by NHS England in the last financial year were related to the Primary Care Support England (PCSE) contract with Capita, NHS England’s annual report reveals.

NHS England told Pulse that each of the cases had been thoroughly investigated with 'steps taken to prevent recurrence'.

But this does means serious data breaches doubled compared to the previous year, when nine incidents were reported.

The NHS England report says the contract it awarded to Capita from September 2015 required the introduction of a national system for services like record movement, which had previously run from local offices.

It says: ‘After a few months of successful service, Capita implemented service changes which led to major issues in the operational services.’

‘The service issues included a significant increase in information governance issues, largely through failings in the new PCSE courier arrangements.’

Of the 12 cases reported last year seven cases were discovered outside practices, though these were usually still in a sealed bag when they were recovered.

The remaining cases were of bags of records being sent to the wrong practice, pharmacist or an unspecified third party or individual.

In one incident, affecting 600 patients, the report says: 'A bag of medical records individually sealed in tamper-proof bags was incorrectly delivered to another medical practice. The practice opened the bag to verify its contents.'

While in March the report says 26 records sealed in tamper-proof bags were sent to a pharmacy located in the same building as the intended practice.

In all but one case – still under investigation as of March - the report states that ‘remedial actions’ were implemented and the Information Commissioner’s Office had confirmed no further action was required.

But it did not appear these cases were getting less frequent, with three incidents reported in March 2017 - long after PCSE and NHS England announced they had made changes to the courier service to reduce the likelihood of problems.

Changes included larger courier vans with more secure racks after the service was overwhelmed by the volume of patient notes when it launched in early 2016 with vans often full or overflowing when they reached practices.

Aside from the PCSE-related incidents NHS England was directly responsible for three serious incidents last year affecting 292 patients, the largest of which saw sensitive data for 288 patients inadvertently sent to an external organisation.

The remaining three incidents were the responsibility of NHS England Commissioning Support Units including one case where hospital patient record data - typically made available externally for research purposes - for 100,000 patients - was provided to a 'third party'

An NHS England spokesperson told Pulse: ‘NHS England takes the security of patients’ information very seriously. Each of these incidents has been fully investigated with PCSE and steps taken to reduce the risk of recurrence.’

A Capita spokesperson said: 'We take information governance very seriously and we continuously review our processes to ensure they are robust and compliant.

'All reported data-related errors are thoroughly investigated and we take the appropriate action in line with our own and NHS England’s requirements. In all of the cases highlighted the ICO has confirmed no further action is required.'

Pulse reported in May last year that the ICO was investigating issues in the new system for moving records and revealed how one practice had warned a patient had ‘discovered notes in the car park.’

NHS England’s report says that the ‘significant backlogs’ and delays reported by GPs getting the notes they need had ‘serious impacts for many primary care users and their patients'.

There were also issues affecting payments and registering GPs to the performers list.

Readers' comments (7)

  • But then private is always so much better than public.
    (**repeat until becomes the truth**)

    Unsuitable or offensive? Report this comment

  • Minimum wages, unskilled staff, never saw that coming......
    All of these 'facilities' companies are rhe same, prisons, 2012 Olympics etc
    Country is going to the dogs, can't even retire to France now-bastards

    Unsuitable or offensive? Report this comment

  • If the NHS was serious about patient safety -

    There would be an independent body of government and management overseeing this.

    The Secretary of State, management would be subject to regulation and corporate manslaugter.

    The 'government' would not have been able to cancel NICE's work on nursing safe staffing levels.


    It is about manipulation of the media and smoke and mirrors. What can be covered up does not matter.

    Unsuitable or offensive? Report this comment

  • On its website, Capita claims it can "Transform customer experience".

    Well, it has certainly achieved that!

    Unsuitable or offensive? Report this comment

  • Cobblers

    I do recall the government was looking at fining GPs for data breaches a sum of five figures.

    Can we look forward to Crapita receiving a fine for each and every one of these breaches?

    Why not?

    Unsuitable or offensive? Report this comment

  • I agree entirely with Cobblers. Data breaches are serious, and should be treated seriously and impartially, whoever or whatever was responsible, without fear or favour.

    Unsuitable or offensive? Report this comment

  • We have the most stupid people Managers in the world or should I put it in classic NHS bragging tone ' some world class buffoons or 20th century specimens'
    Here is a great example. NHS Digital is doing a survey to 'quantify' the burden on Primary Care. It's qoing to cost only £380k.
    NHS is struggling with finances and here you have some ETs trying to gauge our burden - and for what ? Does anybody doubt there is a burden? Is it going to improve anything? No.
    The only thing it is going to result is a loss of another £380k and that much lining somebody's pocket.
    Corruption at every step - in the name of saving the system. Long live our Managers and politicians !

    From email received today by all Practices:

    '' Detailed burden assessment findings
    There are no cost implications of this data collection for general practices.
    The £380k costs are a reflection of general practice system supplier development costs and NHS Digital costs in processing and publishing the extracted data.''

    Unsuitable or offensive? Report this comment

Have your say