NHS ‘loses’ thousands of files
The personal medical records of tens of thousands of people have been lost by the NHS in a series of grave data security leaks.
Between January and April this year 140 security breaches were reported within the NHS – more than the total number from inside central Government and all local authorities combined.
The sacred principle of doctor-patient confidentiality is being compromised, Richard Thomas, the Information Commissioner, has warned. Britain's information watchdog has ordered an urgent overhaul of data security in the health service.
Some computers containing medical records have been left by skips and stolen. Others were left on encrypted discs – but the passwords allowing access were taped to the side.
The Information Commissioner's chief enforcer blamed the growth of a “cavalier attitude” among NHS workers across Britain for the exposure of the sensitive records.
Mr Thomas has written to the Department of Health's top civil servant, Hugh Taylor, demanding immediate improvements to the lax treatment of personal data within the NHS.
He plans to send in a crack team of inspectors to examine how data is protected by hospitals and medical workers across Britain. Over the last six months, the watchdog has been forced to take action against 14 NHS institutions for breaching data regulations.
One GP downloaded a complete patient database, including the medical histories of 10,000 people, on to an unsecured laptop.
The laptop was then stolen from his home and never retrieved.
In another embarrassing breach, a memory stick containing the medical histories of 6,360 prison patients and ex-inmates of Preston prison was lost.
Though the data was encrypted, the password was written on a Post-It note attached to the device.
Camden Primary Care Trust was also found guilty of a major security breach after old computers containing the names, addresses and medical notes of 2,500 patients were dumped beside a rubbish skip near St Pancras Hospital last summer. The computers, which were not encrypted, were stolen and never recovered.
The Department for Health has already responded by issuing an urgent plea to hospital managers to arrest the data breaches being committed by doctors, nurses, security and management staff.
It has reminded them of rules on encrypting private patient data and those on transferring files.
Mick Gorrill, assistant Information Commissioner in charge of enforcement, told The Independent that a number of “inexcusable” data losses within the NHS had become a cause of "great concern". “Medical history is very sensitive personal data, which is likely to cause harm or distress. The law dictates they must keep this information confidential, but the NHS is by far the biggest offender within the public sector," Mr Gorrill said.
“There needs to be a recognition that this information affects real people and can cause real harm if lost. Just as workers would never disclose information they had been told by a patient, they should also treat information in exactly the same way.”
He warned that while the loss of data caused obvious distress among people who expected their medical details to be kept secret, there was also a market for the data.
“We know that some insurance companies already hire private detectives to find out medical histories," he said. "This information could do a lot of damage to many people if it fell into the wrong hands.”
NHS bodies soon face substantial fines for breaches under new powers to be handed to the Information Commissioner's Office (ICO) by the end of the year.
“We would not want to impose a fine as they have better things to spend their money on. But in some of these incidents, we would have little choice,” Mr Gorrill said.
Michael Summers, vice-chair of the Patient's Association, said that the action was long overdue.
A spokesman for the Department of Health said that Mr Taylor, the permanent secretary at the department, would be replying “in due course” to Mr Thomas's concerns.