LONDON – The National Health Service (NHS) has lost confidential medical records and personal details of thousands of patients, it has emerged in an investigation into how the health service handles data.
Research showed that a series of losses and thefts had potentially exposed the private details of 10,000 patients around the country. The figures, obtained through a Freedom of Information request made by the Liberal Democrats, revealed incidents of data loss dating back as far as 2006.
In some cases, the patient record loss was so serious that 25 patients were visited by the police and NHS management. In one instance, a back-up tape of an entire system was stolen from a general practice in the East of England this year. In other incidents, a laptop containing more than 5,000 patients’ details was stolen, and a memory stick containing 4,000 patients’ records was lost.
A total of 135 cases have been reported since 2006, including the loss and theft of diaries, briefcases, CDs, laptops, memory sticks, and, in one case, a vehicle containing patient records.
In the last year alone, 75 NHS data breaches have been reported to the Information Commissioner’s Office (ICO), according to a report released today. Jonathan Bamford, assistant information commissioner, urged the public sector and businesses to take data security more seriously.
Liberal Democrat shadow health secretary, Norman Lamb, said there must be a “fundamental re-examination of how the NHS deals with personal data”. He called for better security around mobile devices, and once again said the NHS’ National Programme for IT should be abandoned.
“We already know from the Information Commissioner that the NHS is among the worst offenders for data loss, reporting as many incidents as the entire private sector,” he added.
Speaking on the data losses on ITV’s News at Ten program, Dr Chaand Nagpaul, IT representative at the British Medical Association, said: “A lot of this is because doctors need access to mobile information about patients. That is there to help patients, however, we do believe there need to be serious safeguards.”
The Department of Health said the NHS chief executive David Nicholson had written to all senior health managers at local NHS trusts to remind them about their responsibilities around protecting data. “The NHS locally has legal responsibility to comply with data protection rules. They are expected to take data loss extremely seriously, be open about incidents and about the action taken as a result,” a departmental spokesperson said.
In another twist, two health board trusts – NHS Tayside and NHS Lanarkshire – were found in breach of the Data Protection Act by the Information Commissioner’s Office (ICO). The watchdog said confidential health records were found in abandoned buildings on the site of former hospitals in Dundee and Carluke, Scotland.
The ICO has demanded that both health boards sign an agreement to follow the Data Protection Act and stick to recommendations made recently by NHS Quality Improvement Scotland to make sure it does not happen again. If the trusts fail to comply, they risk further enforcement action and possible prosecution.