A shocking catalogue of blunders by Northern Ireland’s health trusts, which exposed the private details of hundreds of vulnerable patients, can be revealed by the Belfast Telegraph.
Serious lapses in data protection and confidentiality procedures saw highly sensitive information lost, disclosed to the wrong people and even published on the internet.
In one alarming case a client’s referral details were revealed on Facebook after a staff member dialled the wrong number and left a message on an answering machine.
It was among almost 100 serious data breaches reported by the region’s five health trusts in recent years. Details of the incidents were obtained after an investigation by this newspaper.
The most shocking cases include:
- Contact details for a domestic violence victim mistakenly given to her violent ex-partner by a social worker;
- A doctor who moved house, leaving behind his patient records;
- Files meant for a health board which were accidentally emailed to an education board;
- A rucksack containing radiology results which was discarded in a shop;
- And a client who was contacted by a member of the public after a social worker’s notebook was left in their home.
The findings have led to calls for an urgent review of how patient data is handled.
Alliance MLA Kieran McCarthy, a member of the Stormont health committee, said he was appalled by the mistakes.
“This is horrendous, it is absolutely shocking,” he said. “We are hearing on a weekly, sometimes even daily, basis about mishaps in the health service.
“It really is appalling and there needs to be a review into how errors like these have happened.”
Mr McCarthy called for health trusts to be more open about mistakes.
“I don’t have much trust in the health service to divulge this information,” he added.
“It is only through good, investigative journalism that we are learning of incidents such as these.”
Details of confidentiality breaches were released by the five health trusts after Freedom of Information requests.
It comes just weeks after the Belfast Trust was fined £225,000 by the Information Commission after 20,000 patient files were found abandoned at the former Belvoir Park Cancer Hospital in Belfast.
Some of the files — which included medical records, X-rays and lab results — were posted on the internet.
One of the most disturbing incidents uncovered by this newspaper took place in the South Eastern Trust last August, when details of a client’s referral ended up on Facebook.
It came after a message was left on the wrong answering machine.
Many cases relate to patient files or information which were either lost, discarded or sent to the wrong person.
A doctor in the Western Trust left patient records behind when he moved house. These were later found by the new owner.
Files were also left in shops, discarded in the street and sent to the wrong addresses.
In one incident a list of operations containing names and procedures was wrongly faxed to a Belfast solicitor’s office.
Katherine Murphy, chief executive of the Patients’ Association, said she was deeply concerned by the blunders.
“Patient confidentiality is paramount and all health trusts have a clear duty to protect sensitive data,” she said.
“Any specific examples, such as these, need to be properly investigated to ensure public confidence is maintained.”
Ken Macdonald, assistant commissioner for Northern Ireland at the Information Commissioner’s Office, said action would be taken where an organisation fails to meet its legal obligations under the Data Protection Act.
“The health service holds some of the most sensitive personal information available,” he said.
“It is, therefore, vitally important that the trusts ensure that they are taking adequate measures to keep patients’ information secure and we work with organisations across all sectors to improve the security of personal information.”
Nick Pickles, director of privacy and civil liberties campaign group Big Brother Watch, said it raised serious questions over how patients’ information is stored.
“When it comes to sensitive health data there can be no margin for error,” he said. “Patients will rightly ask if their privacy is being taken seriously enough.”
Western Trust 7 data breaches since January 2009
A confidential report was accidentally e-mailed to the Western Education and Library Board after the wrong distribution list was used.
The patient concerned was informed and an apology given following the incident, which occurred in March.
All parties on the incorrect list were contacted and they agreed to destroy the report.
In another disturbing case, a doctor who moved house left behind patient records. These were found by the new owner.
Because the doctor no longer worked for the Trust, it was not possible to take disciplinary action.
Another folder was found in the street. It was later established that it had been placed on the roof of a car which had then driven off. According to the incident report, “appropriate” disciplinary action was taken.
Another member of staff was caught looking at a relative’s blood results. The employee was then spoken to by the manager about patient confidentiality.
A file containing confidential information was also left in a shop in Omagh.
The staff member involved was contacted by the shop and was assured no-one had opened the file.
In another incident, patient information was also mistakenly faxed to a member of the public.
A spokesperson for the Trust said it was a large organisation with around 12,500 staff, and handled large amounts of confidential data every day without incident.
South Eastern Trust 17 data breaches since April 2008
Confidential patient details were posted on Facebook after being sent to the wrong person.
The shocking incident occurred last August when a client called to say that a message had been left on another person’s answering machine with details of her referral.
Details of this call were then posted on Facebook. The victim rang the trust to ask how the details came to be on someone else’s answering machine.
A second serious incident occurred last August when someone took a photograph of a patient on a mobile phone.
Another incident saw a document containing a job applicant’s personal details being sent to another applicant by mistake.
In another serious case, two patients with the same name were mixed up. A staff member was given the wrong patient’s number and, unaware of the mistake, spoke to that person.
Another data breach saw a handover sheet consisting of five pages of confidential information on patients who had been on the ward that day being left behind in a room.
A patient also received a letter which was intended for her GP. The package contained information on other patients. Meanwhile a patient was sent home with another person’s discharge letters.
None of the incidents resulted in disciplinary action.
A spokesperson for the Trust said it had a “very robust and well-established” risk management strategy and encouraged all data breaches to be reported.
“In the event that a client’s confidentiality is breached, the Trust is confident that the processes it has in place enable thorough investigation and that appropriate action is taken to minimise future occurrence,” they said.
Southern Trust 24 data breaches since 2007
In two cases staff members were caught inappropriately accessing patient records on the Trust’s computer system. In a third instance, a former employee managed to access records.
In 19 of the 24 cases, patient details — including test results — were sent to the wrong person.
Last April, a client received blood results and an admission slip in the post which should have gone to another patient. In a separate case, a baby’s parents received a confidential letter containing a different family’s details.
A staff e-mail was mistakenly sent to a member of the public while a confidential document was posted to the wrong patient.
Maternity notes were given to the wrong patient, a client received a letter with admission details for another person while information relating to a patient’s family was accidentally forwarded to another client.
Disciplinary action was taken in just two cases, both relating to the inappropriate accessing of patient records.
A Trust spokesperson said a range of policies and procedures on data protection were in place and all employees are made aware of these.
“The Trust employs approximately 13,000 staff and each day a very large volume of information regarding patients and clients is handled in a safe and effective manner.
“On the rare occasions where there is a lapse in the handling of confidential data, the Trust will investigate and take the appropriate action to protect patient/client confidentiality.’’
Northern Trust 21 data breaches since January 2008
One of the most serious blunders occurred last August when a social worker mistakenly provided a client’s details to her violent ex-partner.
The client had previously been subjected to “severe domestic violence” by her partner. The Trust’s report states it was “a significant risk” to provide him with details of her location.
In another case, a client and partner were waiting in an office to have a meeting with a staff member when they discovered a case report on another family. The client’s partner was found to have read the report.
Last June a client’s daughter lifted a set of medical notes which had been left on a trolley outside the nurses’ room and read the contents.
Another incident involved confidential client information which was mistakenly faxed to a local business rather than Trust staff. A second, almost identical incident had occurred just 10 months earlier.
In July 2010, a relative of children being cared for by the Trust advised them that their brother-in-law was in possession of a document, handed to him by another man who removed it from a social worker’s office. The document contained information on the family.
A USB drive containing patient information was also lost.
No disciplinary action was taken in any of the above cases.
A spokesperson for the Trust said staff were “actively encouraged” to report data breaches.
“We believe that through understanding of why breaches occur our security measures can be improved,” she said.
“As a matter of policy, where breaches of service user information have occurred, we will advise those affected.”
Belfast Trust 28 data breaches since January 2009
The Belfast Trust recorded 28 data breaches, including files containing detailed information on patients which were dropped in the centre of Belfast. The case resulted in disciplinary action against a member of staff.
In another alarming lapse, a rucksack containing a patient’s radiology details were found in a shop in Belfast.
The documents also report how images from the Old Belvoir Park site had been posted on two internet sites. They show records left behind in the disused site. The incident resulted in a £225,000 fine for the Trust.
Earlier this year, a solicitors’ office telephoned to say that three operation lists had been mistakenly faxed to them. The information included names and procedures.
An agency social worker left a work notebook behind in a client’s house, and the client contacted an individual whose details had been recorded in the book.
Confidential data on four patients was e-mailed to an unknown address, while in another case information was faxed to a member of the public.
An agency staff member also abused his computer access privileges to reset the password of one of his staff for the explicit purposes of reading a confidential e-mail.
A member of the public also complained that records had been abandoned at the entrance to a ward in unsealed bags labelled ‘patient property’.
A spokesperson for Belfast Trust said the breaches did not include “near misses”, incidents contained within the Trust or where devices were encrypted.
She said that where formal disciplinary action is not pursued, an individual may be spoken to, given a formal warning and provided with appropriate training.