There was a ‘significant increase’ in patient information being dropped, accidentally left behind or sent to the wrong location after the NHS outsourced functions to Capita.
In 2016/17, one year after NHS England entered into the new primary care support services contract, around 700 patients were affected by inadvertent disclosure of their information – although in most cases items were discovered by, or handed into, GP practices unopened.
In all, 12 of the 18 Serious Incidents Requiring Investigation reported by NHS England in the last financial year were related to the Primary Care Support England (PCSE) contract with Capita, NHS England’s annual report reveals.
NHS England told Pulse that each of the cases had been thoroughly investigated with ‘steps taken to prevent recurrence’.
But this does means serious data breaches doubled compared to the previous year, when nine incidents were reported.
The NHS England report says the contract it awarded to Capita from September 2015 required the introduction of a national system for services like record movement, which had previously run from local offices.
It says: ‘After a few months of successful service, Capita implemented service changes which led to major issues in the operational services.’
‘The service issues included a significant increase in information governance issues, largely through failings in the new PCSE courier arrangements.’
Of the 12 cases reported last year seven cases were discovered outside practices, though these were usually still in a sealed bag when they were recovered.
The remaining cases were of bags of records being sent to the wrong practice, pharmacist or an unspecified third party or individual.
In one incident, affecting 600 patients, the report says: ‘A bag of medical records individually sealed in tamper-proof bags was incorrectly delivered to another medical practice. The practice opened the bag to verify its contents.’
While in March the report says 26 records sealed in tamper-proof bags were sent to a pharmacy located in the same building as the intended practice.
In all but one case – still under investigation as of March – the report states that ‘remedial actions’ were implemented and the Information Commissioner’s Office had confirmed no further action was required.
But it did not appear these cases were getting less frequent, with three incidents reported in March 2017 – long after PCSE and NHS England announced they had made changes to the courier service to reduce the likelihood of problems.
Changes included larger courier vans with more secure racks after the service was overwhelmed by the volume of patient notes when it launched in early 2016 with vans often full or overflowing when they reached practices.
Aside from the PCSE-related incidents NHS England was directly responsible for three serious incidents last year affecting 292 patients, the largest of which saw sensitive data for 288 patients inadvertently sent to an external organisation.
The remaining three incidents were the responsibility of NHS England Commissioning Support Units including one case where hospital patient record data – typically made available externally for research purposes – for 100,000 patients – was provided to a ‘third party’
An NHS England spokesperson told Pulse: ‘NHS England takes the security of patients’ information very seriously. Each of these incidents has been fully investigated with PCSE and steps taken to reduce the risk of recurrence.’
A Capita spokesperson said: ‘We take information governance very seriously and we continuously review our processes to ensure they are robust and compliant.
‘All reported data-related errors are thoroughly investigated and we take the appropriate action in line with our own and NHS England’s requirements. In all of the cases highlighted the ICO has confirmed no further action is required.’
Pulse reported in May last year that the ICO was investigating issues in the new system for moving records and revealed how one practice had warned a patient had ‘discovered notes in the car park.’
NHS England’s report says that the ‘significant backlogs’ and delays reported by GPs getting the notes they need had ‘serious impacts for many primary care users and their patients’.
There were also issues affecting payments and registering GPs to the performers list.
