The cancer diagnosis letter found in a car park, voicemails to the wrong person and a gate-crashed consultation: Hospital data breaches up 20% in a year
Exclusive Hospitals have seen the number of confidentiality breaches and losses of patient data rise by a fifth over the past year, with thousands of such incidents reported, a Pulse investigation reveals.
Figures obtained under the Freedom of Information Act from 55 hospital trusts who were able to provide comparable year-on-year statistics show that the number of data breaches rose from 2,337 in 2011/12 to 2,805 in 2012/13 - a 20% year-on-year increase.
Common examples included patients being given a different patient’s details in error, patient information being given to a relative without their permission, voicemails left to the wrong person, letters left in public meeting rooms and letters sent to patients’ previous GPs.
The investigation also found that there was a 15% increase in data and confidentiality breaches between 2010/11 and 2011/12. In total, the 55 trusts recorded 7,138 incidents over the last three years, results the GPC said could cause patients to ‘lose faith in the NHS’ and could undermine public trust in the move towards a ‘paperless NHS’ by 2018.
Hospitals must report incidents such as communications being sent to the wrong person, breaches of confidentiality, loss or theft of data and unauthorised access to data. Those disclosed included:
- North Tees and Hartlepool NHS Foundation Trust recorded an incident where the protected address of foster carers was disclosed to the parents of a child.
- A person who was not a member of hospital staff managed to infiltrate a patient consultation, in an incident recorded by University Hospitals of Leicester NHS Trust.
- A member of the public who was attending an appointment at the The Princess Alexandra Hospital NHS Trust found a letter in the grounds on the hospital which was addressed to a patient regarding their clinical diagnosis of cancer.
- Ashford & St Peter’s Hospitals NHS Foundation Trust recorded incidents where patient information was found in public both on and off site, and also found in private places on and off site, including in another patient’s notes. Patient documentation was also sent to the wrong patient and disclosed to inappropriate people.
- At Southend University Hospital a research fellow inadvertently left a patient’s notes in the WHSmith shop in the main outpatients reception. The pile of notes was handed in by the man at the till. The notes contained ‘very personal and sensitive information about many patients on each sheet, including the cover.’
- The same trust recorded an incident where a part set of patient notes were found blocking a rainwater run-off drain.
- at the Royal Marsden NHS Foundation Trust hospital paperwork was found in the car park
- Royal Brompton and Harefield NHS Foundation Trust recorded an incident where a number of letters from a clinical psychologist were being sent to a building shop instead of a GP surgery.
- pictures were taken and posted on Facebook in an incident recorded by Barts Health NHS Trust. In another incident sensitive information was inadvertently sent to a patient’s GP against the patient’s wishes.
Dr Chaand Nagpaul, joint chair of the GPC’s ICT subcommittee, called on the Government to address the issue of breaches of confidentiality.
He said: ‘At a time when the Government is pushing ahead with widespread data sharing, it’s vitally important the public have confidence their data is secure, only accessed when relevant to their care. This must be a priority.’
‘These sorts of statistics run the risk of patients losing faith in the NHS holding their data. It’s important Government addresses this so the public have confidence data is held securely and only accessed appropriately.’
He added that the Government’s policy of making the NHS ‘paperless’ by 2018 should not trump concerns over information governance.
He said: ‘We need to make sure the systems are fit for purpose its important policies do not run ahead of these basic rights. We need much more robust systems to protect patient data before more data sharing is introduced.’
Dr Nigel Watson, chief executive of Wessex LMCs, said the increase could be due to trusts and patients recording incidents more readily.
He said: ‘I suspect some of the increase is an increase of reporting breaches. Patients are more likely to come forward, and trusts more likely to report breaches and data losses.’
‘The health service is a complex organisation that sees hundreds of millions of patients, it’s surprising this sort of thing doesn’t happen more often.’
He added: ‘Finding letters in the car park, that’s appalling. But I would hope that we could get into real discussions about data sharing. There’s a danger of locking everyone down. It’s like the arguments about hospitals seeing GP records. We do need a system whereby we can share data professionally and we have a good opportunity now to look at our systems and make sure they are robust.’
A spokesperson for the Information Commissioner’s Office said: ‘The health service holds some of the most sensitive information available. This is why it is so important that they look after patients’ data correctly and in compliance with the Data Protection Act.’
‘We will continue to work with the health service to help them keep the personal information they use and store secure. However, organisations that fail to comply with the act leave themselves open to enforcement action from our office including, in the most serious cases, monetary penalties of up to £500,000.’