This site is intended for health professionals only

Door entry codes for patients’ homes mailed out in NHS data security blunder

Exclusive Security codes for the homes of an undisclosed number of patients have been printed on the front of envelopes and mailed out, in a data security blunder which managers have warned places the elderly and ‘vulnerable’ at risk, Pulse can reveal.

The Department of Health is currently investigating the extent of the breach, which saw codes for door entry and key safe boxes ‘inappropriately’ entered alongside address information in the Personal Demographics Service, run by NHS Connecting for Health.

Patients raised the alarm after reporting that they had been sent letters with the security codes printed in the first line of the address on the envelope.

NHS Connecting for Health refused to confirm the number of letters which have sent out, or the number of patients who have security codes for their home address stored in the Personal Demographics Service. But GPs have raised concerns as the Personal Demographics Service is part of the NHS ‘spine’ database, holds the names and addresses of all NHS patients in England and can be accessed by a wide range of healthcare professionals.

An alert sent out by NHS South East Coast to GP practices in the area warned: ‘The National Back Office Service Management team has received a number of incidents from concerned Personal Demographics Service users who have noticed that access codes for key safe boxes and other such door entry systems are being stored within the address field on the national patient index.

‘The storage of these details on the PDS constitutes a security risk to vulnerable/elderly residents and in some cases the door entry codes have been printed as part of the address on correspondence.’

An NHS South East Coast spokesperson said: ‘NHS South East Coast forwarded on an email from the Service Management Team at the National Back Office about this issue to practices across the region. No incidents of this nature have been reported to NHS South East Coast.’

A Department of Health spokesperson refused to specify in which areas of the country patients had been sent letters.

‘We have been made aware that in a number of cases additional information about addresses has been stored inappropriately on the Personal Demographics Service,’ she said.

‘We have no evidence this had led to security breaches. We are currently investigating and will take action as necessary.’

Dr Trefor Roscoe, a GP in Sheffield and former medical IT consultant, told Pulse: ‘This is what happens when people who don’t know what they are doing are allowed to alter details on the computer.’

‘What I strongly suspect is happening here is that the district nursing service is putting the code number in the patients’ records and they have chosen the field which is the first line of the address, and because they have no understanding of the computer system, they don’t realise that this then changes the spine, and also makes it available to anyone who can see the data on the spine. Obviously it then gets printed on letters.’

‘It’s the sort of thing that we predicted to happen to all these medical GP systems. Basically, without training everybody properly there is probably not a lot you can do about it.’