Cookie policy notice

By continuing to use this site you agree to our cookies policy below:
Since 26 May 2011, the law now states that cookies on websites can ony be used with your specific consent. Cookies allow us to ensure that you enjoy the best browsing experience.

This site is intended for health professionals only

At the heart of general practice since 1960

The cancer diagnosis letter found in a car park, voicemails to the wrong person and a gate-crashed consultation: Hospital data breaches up 20% in a year

Exclusive Hospitals have seen the number of confidentiality breaches and losses of patient data rise by a fifth over the past year, with thousands of such incidents reported, a Pulse investigation reveals.

Figures obtained under the Freedom of Information Act from 55 hospital trusts who were able to provide comparable year-on-year statistics show that the number of data breaches rose from 2,337 in 2011/12 to 2,805 in 2012/13 - a 20% year-on-year increase.

Common examples included patients being given a different patient’s details in error, patient information being given to a relative without their permission, voicemails left to the wrong person, letters left in public meeting rooms and letters sent to patients’ previous GPs.

The investigation also found that there was a 15% increase in data and confidentiality breaches between 2010/11 and 2011/12. In total, the 55 trusts recorded 7,138 incidents over the last three years, results the GPC said could cause patients to ‘lose faith in the NHS’ and could undermine public trust in the move towards a ‘paperless NHS’ by 2018.

Hospitals must report incidents such as communications being sent to the wrong person, breaches of confidentiality, loss or theft of data and unauthorised access to data. Those disclosed included:

- North Tees and Hartlepool NHS Foundation Trust recorded an incident where the protected address of foster carers was disclosed to the parents of a child.

- A person who was not a member of hospital staff managed to infiltrate a patient consultation, in an incident recorded by University Hospitals of Leicester NHS Trust.

- A member of the public who was attending an appointment at the The Princess Alexandra Hospital NHS Trust found a letter in the grounds on the hospital which was addressed to a patient regarding their clinical diagnosis of cancer.

- Ashford & St Peter’s Hospitals NHS Foundation Trust recorded incidents where patient information was found in public both on and off site, and also found in private places on and off site, including in another patient’s notes. Patient documentation was also sent to the wrong patient and disclosed to inappropriate people.

- At Southend University Hospital a research fellow inadvertently left a patient’s notes in the WHSmith shop in the main outpatients reception. The pile of notes was handed in by the man at the till. The notes contained ‘very personal and sensitive information about many patients on each sheet, including the cover.’

- The same trust recorded an incident where a part set of patient notes were found blocking a rainwater run-off drain.

- at the Royal Marsden NHS Foundation Trust hospital paperwork was found in the car park

- Royal Brompton and Harefield NHS Foundation Trust recorded an incident where a number of letters from a clinical psychologist were being sent to a building shop instead of a GP surgery.

- pictures were taken and posted on Facebook in an incident recorded by Barts Health NHS Trust. In another incident sensitive information was inadvertently sent to a patient’s GP against the patient’s wishes.

Dr Chaand Nagpaul, joint chair of the GPC’s ICT subcommittee, called on the Government to address the issue of breaches of confidentiality.

He said: ‘At a time when the Government is pushing ahead with widespread data sharing, it’s vitally important the public have confidence their data is secure, only accessed when relevant to their care. This must be a priority.’

‘These sorts of statistics run the risk of patients losing faith in the NHS holding their data. It’s important Government addresses this so the public have confidence data is held securely and only accessed appropriately.’

He added that the Government’s policy of making the NHS ‘paperless’ by 2018 should not trump concerns over information governance.

He said: ‘We need to make sure the systems are fit for purpose its important policies do not run ahead of these basic rights. We need much more robust systems to protect patient data before more data sharing is introduced.’

Dr Nigel Watson, chief executive of Wessex LMCs, said the increase could be due to trusts and patients recording incidents more readily.

He said: ‘I suspect some of the increase is an increase of reporting breaches. Patients are more likely to come forward, and trusts more likely to report breaches and data losses.’

‘The health service is a complex organisation that sees hundreds of millions of patients, it’s surprising this sort of thing doesn’t happen more often.’

He added: ‘Finding letters in the car park, that’s appalling. But I would hope that we could get into real discussions about data sharing. There’s a danger of locking everyone down. It’s like the arguments about hospitals seeing GP records. We do need a system whereby we can share data professionally and we have a good opportunity now to look at our systems and make sure they are robust.’

A spokesperson for the Information Commissioner’s Office said: ‘The health service holds some of the most sensitive information available. This is why it is so important that they look after patients’ data correctly and in compliance with the Data Protection Act.’

‘We will continue to work with the health service to help them keep the personal information they use and store secure. However, organisations that fail to comply with the act leave themselves open to enforcement action from our office including, in the most serious cases, monetary penalties of up to £500,000.’

Readers' comments (5)

  • OK. Now go and obtain the equivalent information from the private sector.
    This sort of thing will happen. We don’t live in a perfect world however at least the NHS has protocols and procedures to record, assess and address these incidences and any one can access the information through FOI. However, in the private sector such breaches are kept quiet. The weaknesses leading to the loss of data may or may not be dealt with but we'll never know therefore I think it's a little unfair to name and shame NHS organisations in this way if you cannot also name and shame the private sector. If the private sector is going to be undertaking NHS work then it has to be governed by exactly the same rules for everything and that includes being subject to FOI and not being allowed to hide behind the phrase "commercial in confidence".
    I have knowledge of exactly the same breach occurring within the NHS and the private sector. The similarity between the two events was actually uncanny. The NHS breach was all over the local news and the private sector breach was kept under wraps threfore I'm less inclined to be concerned about what we do know as reported in this article and more concerned about what we dont know!

    Unsuitable or offensive? Report this comment

  • I don't agree, just because the private sector might have worse records (sorry for the pun), NHS should not be criticised.

    At the same time, you can't demand an easier access to records without more breaches happening. It's simply isn't possible unless alot of money is invested in it to change the whole system, not just at trust level

    Unsuitable or offensive? Report this comment

  • Is it really an increase of incidents, or that the NHS has geared itself up to be more transparent, and therefore looks like an increase in breaches.

    I know from my past NHS life (which ended 2 years ago) whenever a patient's label was seen on a junior doctors hand (when they were in a public area), or a set of casenotes could not be obtained from records, that we were encouraged to fill out an incident form (which fed into the Trust's risk register - and usual governance processes). This process was put in place to encourage better security of patient information. Surely the reporting of incidents is a good thing and we should stop beating up on the NHS, you'll all miss it when its gone. I know I do now I have to pay for my healthcare.

    Unsuitable or offensive? Report this comment

  • why do you hav to pay for your health care now and not previously if you don't mind us asking?

    Unsuitable or offensive? Report this comment

  • I totally agree with anonymous number one comments of
    "The weaknesses leading to the loss of data may or may not be dealt with but we'll never know therefore I think it's a little unfair to name and shame NHS organisations in this way if you cannot also name and shame the private sector. If the private sector is going to be undertaking NHS work then it has to be governed by exactly the same rules for everything and that includes being subject to FOI and not being allowed to hide behind the phrase "commercial in confidence".

    Very well said!...

    Unsuitable or offensive? Report this comment

Have your say