A number of GPs and practice managers who have undergone checks to become their practice’s CQC registered providers have had their confidential personal information lost by the regulator.
In a serious incident report (SIR) released on Thursday, the CQC announced it had lost 500 ’disclosure and barring service (DBS)’ files – formerly known as CRB checks – which Pulse understands include those from primary medical services.
The files contain details of GPs and practice managers who have applied to be the practice’s CQC lead, including personal information such as their name, and date and place of birth, but also mental health information.
The CQC has written to GPs to apologise and notify them of the data breach, which occured during an office refurbishment.
It comes as the regulator announced earlier this month that practices could expect ‘strengthened’ inspections on their data security processes, as part of an overhaul of how the NHS manages sensitive information.
The CQC report says theft ‘cannot be ruled out’ but believes this is unlikely. However, it concludes the information could cause ‘harm and distress’ should it fall into ‘unscrupulous hands’.
The report highlights that the files were lost when a cabinet was accidentally tagged for removal partly due to a lack of on-site supervision by CQC staff.
CQC chief executive David Behan wrote to affected individuals earlier this week to notify them of the breach, and an independent review of the CQC’s security arrangements has been launched.
A statement on the CQC website says: ‘During a planned refurbishment of its office in Newcastle earlier this month, it appears that a locked filing cabinet containing up to 500 DBS certificates was wrongly marked for removal and destruction.
The SIR report concludes: ‘The root cause of the loss of these documents was the last minute verbal changes to the requirements for the contractors made on 7 July, the lack of adherence to the documented plan and a misunderstanding between CQC staff and the primary contractor team.
‘Should the information contained in the missing folders fall into unscrupulous hands then is has the potential to cause further harm and distress to the individual data subjects.’
There are 38,000 CQC registered managers in England, the majority of whom operate adult social care homes, and they are responsible for ensuring their provider meets CQC standards.
The CQC requests copies of DBS certificates as part of its registration checks. The recent breach relates to applications between July 2015 and March 2016 – an online system was launched in April 2016 which removes the need for paper copies.
Mr Behan said: ’I would like to apologise to the individuals whose DBS certificates have been lost during the recent refurbishment of our office in Newcastle and for any distress this may cause. I deeply regret that this has happened.’