/ Technology

Patient data breached five times a week. Do you trust the NHS?

The foundation of the doctor/patient relationship is trust, but it seems you can’t say the same of the NHS in this digital age. Patient data is apparently leaked five times a week – staff need to take extra care with technology.

According to Freedom of Information Act requests by Big Brother Watch, there were 806 incidents over the last three years where the laws protecting the privacy of patient records were breached.

Breaches included 23 instances of patient information being posted on a social network, 91 incidents of staff looking up colleagues’ details, while 24 NHS trusts saw confidential information stolen, lost or left behind by staff.

It isn’t hard to believe. A quick search on Google reveals a catalogue of past data breaches. In September 2010, for example, The Surrey and Sussex Healthcare NHS Trust lost 800 patient records on an unencrypted data stick.

Technology isn’t to blame for data breach epidemic

The head of strategic relations at the Information Commissioner’s Office (ICO), Jonathan Bamford, has previously said that the number of NHS data breaches is a ‘cause for concern’.

In the same speech Bamford said that health care professionals often fail to realise how technology can endanger patient privacy. My question is why?

My doctor is privy to a host of information about me and also happens to have kids at the same school as mine (I often blush when we exchange “hellos” at the school fete) but she’d never dream of sharing this information with other parents. Nor should she.

It’s laughable that any NHS staff member could think it acceptable to publish patient records on a social network like Facebook. A lack of tech nous is no excuse – there are few who are ignorant of the public nature of Facebook.

Speaking at a previous health care conference, Bamford summed up the situation well:

‘The same people who wouldn’t dream of chatting about patient information […] down the curry house on a Friday evening, are the very same people who are losing memory sticks with lots of information on it.’

Is dismissal part of the cure for NHS data breaches?

Of the 800 incidents discovered, just 102 cases resulted in staff dismissal. So should more NHS staff be sacked if they’ve been found guilty of breaching patient data?

In a survey of over 1,000 UK patients, 87% said NHS managers should be sacked or fined if they knew of potential data risks and failed to act on them.

It may sound radical, but I’m also inclined to agree with the 97% who said that NHS managers should have a ‘legal and ethical duty to protect their data’.

If they don’t accept this responsibility then the net result could be a loss of trust in the NHS and those who work for it. Were that to happen, I’d consider it a medical emergency.


This is not good but I doubt that anyone dies as a result of such carelessness. I think the main focus needs to be on keeping people alive and healthy.


I suspect the above may be one of those responsible judging by questionable attitude,In late 60’s before Thatchers Cuts I had research to find why I had chronic utis. 3 weekly waiting 5 hrs to access medication . It was found I had spina bifida occulta plus numerous other associated conditions which have since been ignored . The notes were returned to me [ legal?] along with numerous appts wound up by the administration .Since then the condition has been ignored . Consequently I had a cardiac arrest where died 3x so suspect false economy.

UK biggest sceptic? says:
31 October 2011

Well how about this, I have children at the same school as my midwife’s children, the midwife’s oldest child (of about 9yrs old) was telling my eldest daughter only last week about the circumstances over us leaving the last place we lived at (which were grossly exaggerated but with an element of truth that only the midwife knew), and personal details over my medical condition. If I complain I’ll be disallowed from having a home birth, so I can’t do anything about it until the baby has been born, in the meantime this woman is going around telling god knows who, god knows what, about me and my family and to make it worse, only a tiny bit of it is accurate…

maryofdungloe says:
31 October 2011

Why on earth would snitching on the midwife stop you from having your baby at home?

You are allowed to have your baby where and when you see fit, surely?

Unless there are complications in your pregnancy I can’t see why you shouldn’t give birth at home.

with held says:
3 November 2011

I work in the NHS and I can tell you that the leaks are just the tip of the iceberg. 99% of patient data breeches are covered up by overpaid incompetent managers, and illiterate staff.


Hi UK biggest sceptic, You should complain not only to seek appropriate action against the midwife but to stop her other patients suffering similar problems.Telephone your Primary Care Trust for guidance on lodging your complaint to them.You can also complain separately to the Nursing and Midwifery Council which regulates those professions and has the authority to stop nurses and midwives from practitioning where appropriate.

Fath says:
4 November 2011

Funny how other people have access to our records, yet we cannot as yet see our own records. I signed up for this nearly 2 years ago & I am still waiting – we were told System One was needed, this is now available but GP’s are still reluctant to to allow us to see them.

Phil James says:
4 November 2011

I have worked in the National Programme for IT since its inception (and previously in the NHS) and can comment that a vast sum of public money has been spent on security design/features in a host of NHS applications. However, poor practice and ignorance in a range of primary, secondary and tertiary healhcare settings has led to the kind of issues listed (and underestimated) above. The only solution is to ensure every system user is audited and made personally responsible for their actions. This must include the option for dismissal.


This was (is?) a vast project, it may save lives, but most of the IT people I know who have been involved with it have all said the same thing. It has been designed in a top down manner, so the needs of the most frequent end users were ignored in favour of management needs. I think it is also fair to say that a less ambitious aim, well implemented that could be expanded upon would have been more successful and less costly.
With the NHS being I believe the largest European employer, leaks are almost inevitable. Perhaps the question that should have been asked is “do the benefits of this idea outweigh the downside of the inevitable leaks?” With our society apparently hell bent on following the Americans into litigation being the first rather than the last resort I’m sure the ambulance chasers who are as morally bankrupt as the press will find ways of getting information they are not entitled to, but that is not the problem with this project more a reflection on where our society is headed


Everyone has a right to see their own personal records but you may have to pay a fee since this may involve additional professional time. Privacy of medical records is absolutely fundamental – if information leaks people may tell the doctor a very limited story, and not get properly diagnosed and treated. Hence data privacy is paramount to keeping people alive and healthy. Doctors don’t take the Hyppocratic Oath, that’s a myth, but they are required to observe the basics by the General Medical Council. Nurses also have codes of conduct but I’m not sure where managers stand other than contractually. When I was a GP we were able to look up pathology (test) results online and access was remotely cross referenced with our electronic patient list of the day. I was once phoned to explain why I had accessed a lady’s path record – she walked in as an emergency, but it was reassuring that the system worked!
I used to worry about the never ending and increasing demand for the totality of a patient’s notes by injury lawyers, especially since some of the data was very very personal and when I rang the patient to check if they had given full informed consent to this they were horrified, so records had to be withheld, but not everyone is conscientious. Then the records presumably get sent out to consultants as well and goodness knows who opens and looks inside the bursting envelopes.
In such a huge organisation data can never be 100% secure which is why many GPs felt strongly against the centralisation of medical records, and certainly didn’t want their own records uploaded.


Yes…. I got the totality of my medical records gratis from my personal injury
solicitor in regard to an unrelated matter I’m contemplating suing myself. And such totality
includes complete bundle of patient notes in respect of other and previous GPs (of long ago)
as well, I was a little astonished to find.

I have to say though what I’d actually said to the GP was not always accurately reflected
in the notes made. So a caveat to all.

There may well be a charge if I were to approach my GP for such identical information,
warts and all, that is, however, not in his/her power to withhold on payment of prescribed

Fath says:
4 November 2011

The whole idea of “Summary Care Records” within the “Health Space” system was so that the patient could see their own record online without having to pay for it, I would like to check mine as I sometimes think that what has been said/written in them is not always an accurate representation of what w as (or what I understood was said) said at a GP visit, or hospital appointment. I have had a Health Space account since March 2010 & was told, by letter, that my SCR would created by June 2010. So far -October 2011, this has not happened so I contacted them I am awaiting a reply from the Health Space people as to why it has not happened. My account is password protected.


I find it hard to believe any large organisation is to be trusted with our personal data. The bigger the organisation, the less I trust. And with the government, I don’t trust them at all!

There seems to be little common sense these days. The rigmarole of going through anti-laundering security to sell a house or purchase some foreign currency seems totally ott to me.

I trust my doctor, but I don’t trust the computer systems or the procedures for handling sensitive information. Even MPs throw private correspondence in public bins.