/ Technology

Patient data breached five times a week. Do you trust the NHS?

The foundation of the doctor/patient relationship is trust, but it seems you can’t say the same of the NHS in this digital age. Patient data is apparently leaked five times a week – staff need to take extra care with technology.

According to Freedom of Information Act requests by Big Brother Watch, there were 806 incidents over the last three years where the laws protecting the privacy of patient records were breached.

Breaches included 23 instances of patient information being posted on a social network, 91 incidents of staff looking up colleagues’ details, while 24 NHS trusts saw confidential information stolen, lost or left behind by staff.

It isn’t hard to believe. A quick search on Google reveals a catalogue of past data breaches. In September 2010, for example, The Surrey and Sussex Healthcare NHS Trust lost 800 patient records on an unencrypted data stick.

Technology isn’t to blame for data breach epidemic

The head of strategic relations at the Information Commissioner’s Office (ICO), Jonathan Bamford, has previously said that the number of NHS data breaches is a ‘cause for concern’.

In the same speech Bamford said that health care professionals often fail to realise how technology can endanger patient privacy. My question is why?

My doctor is privy to a host of information about me and also happens to have kids at the same school as mine (I often blush when we exchange “hellos” at the school fete) but she’d never dream of sharing this information with other parents. Nor should she.

It’s laughable that any NHS staff member could think it acceptable to publish patient records on a social network like Facebook. A lack of tech nous is no excuse – there are few who are ignorant of the public nature of Facebook.

Speaking at a previous health care conference, Bamford summed up the situation well:

‘The same people who wouldn’t dream of chatting about patient information […] down the curry house on a Friday evening, are the very same people who are losing memory sticks with lots of information on it.’

Is dismissal part of the cure for NHS data breaches?

Of the 800 incidents discovered, just 102 cases resulted in staff dismissal. So should more NHS staff be sacked if they’ve been found guilty of breaching patient data?

In a survey of over 1,000 UK patients, 87% said NHS managers should be sacked or fined if they knew of potential data risks and failed to act on them.

It may sound radical, but I’m also inclined to agree with the 97% who said that NHS managers should have a ‘legal and ethical duty to protect their data’.

If they don’t accept this responsibility then the net result could be a loss of trust in the NHS and those who work for it. Were that to happen, I’d consider it a medical emergency.


This is not good but I doubt that anyone dies as a result of such carelessness. I think the main focus needs to be on keeping people alive and healthy.

I suspect the above may be one of those responsible judging by questionable attitude,In late 60’s before Thatchers Cuts I had research to find why I had chronic utis. 3 weekly waiting 5 hrs to access medication . It was found I had spina bifida occulta plus numerous other associated conditions which have since been ignored . The notes were returned to me [ legal?] along with numerous appts wound up by the administration .Since then the condition has been ignored . Consequently I had a cardiac arrest where died 3x so suspect false economy.

Well how about this, I have children at the same school as my midwife’s children, the midwife’s oldest child (of about 9yrs old) was telling my eldest daughter only last week about the circumstances over us leaving the last place we lived at (which were grossly exaggerated but with an element of truth that only the midwife knew), and personal details over my medical condition. If I complain I’ll be disallowed from having a home birth, so I can’t do anything about it until the baby has been born, in the meantime this woman is going around telling god knows who, god knows what, about me and my family and to make it worse, only a tiny bit of it is accurate…

Why on earth would snitching on the midwife stop you from having your baby at home?

You are allowed to have your baby where and when you see fit, surely?

Unless there are complications in your pregnancy I can’t see why you shouldn’t give birth at home.

with held says:
3 November 2011

I work in the NHS and I can tell you that the leaks are just the tip of the iceberg. 99% of patient data breeches are covered up by overpaid incompetent managers, and illiterate staff.

Hi UK biggest sceptic, You should complain not only to seek appropriate action against the midwife but to stop her other patients suffering similar problems.Telephone your Primary Care Trust for guidance on lodging your complaint to them.You can also complain separately to the Nursing and Midwifery Council which regulates those professions and has the authority to stop nurses and midwives from practitioning where appropriate.

Fath says:
4 November 2011

Funny how other people have access to our records, yet we cannot as yet see our own records. I signed up for this nearly 2 years ago & I am still waiting – we were told System One was needed, this is now available but GP’s are still reluctant to to allow us to see them.

Phil James says:
4 November 2011

I have worked in the National Programme for IT since its inception (and previously in the NHS) and can comment that a vast sum of public money has been spent on security design/features in a host of NHS applications. However, poor practice and ignorance in a range of primary, secondary and tertiary healhcare settings has led to the kind of issues listed (and underestimated) above. The only solution is to ensure every system user is audited and made personally responsible for their actions. This must include the option for dismissal.

This was (is?) a vast project, it may save lives, but most of the IT people I know who have been involved with it have all said the same thing. It has been designed in a top down manner, so the needs of the most frequent end users were ignored in favour of management needs. I think it is also fair to say that a less ambitious aim, well implemented that could be expanded upon would have been more successful and less costly.
With the NHS being I believe the largest European employer, leaks are almost inevitable. Perhaps the question that should have been asked is “do the benefits of this idea outweigh the downside of the inevitable leaks?” With our society apparently hell bent on following the Americans into litigation being the first rather than the last resort I’m sure the ambulance chasers who are as morally bankrupt as the press will find ways of getting information they are not entitled to, but that is not the problem with this project more a reflection on where our society is headed

Everyone has a right to see their own personal records but you may have to pay a fee since this may involve additional professional time. Privacy of medical records is absolutely fundamental – if information leaks people may tell the doctor a very limited story, and not get properly diagnosed and treated. Hence data privacy is paramount to keeping people alive and healthy. Doctors don’t take the Hyppocratic Oath, that’s a myth, but they are required to observe the basics by the General Medical Council. Nurses also have codes of conduct but I’m not sure where managers stand other than contractually. When I was a GP we were able to look up pathology (test) results online and access was remotely cross referenced with our electronic patient list of the day. I was once phoned to explain why I had accessed a lady’s path record – she walked in as an emergency, but it was reassuring that the system worked!
I used to worry about the never ending and increasing demand for the totality of a patient’s notes by injury lawyers, especially since some of the data was very very personal and when I rang the patient to check if they had given full informed consent to this they were horrified, so records had to be withheld, but not everyone is conscientious. Then the records presumably get sent out to consultants as well and goodness knows who opens and looks inside the bursting envelopes.
In such a huge organisation data can never be 100% secure which is why many GPs felt strongly against the centralisation of medical records, and certainly didn’t want their own records uploaded.

Yes…. I got the totality of my medical records gratis from my personal injury
solicitor in regard to an unrelated matter I’m contemplating suing myself. And such totality
includes complete bundle of patient notes in respect of other and previous GPs (of long ago)
as well, I was a little astonished to find.

I have to say though what I’d actually said to the GP was not always accurately reflected
in the notes made. So a caveat to all.

There may well be a charge if I were to approach my GP for such identical information,
warts and all, that is, however, not in his/her power to withhold on payment of prescribed

Fath says:
4 November 2011

The whole idea of “Summary Care Records” within the “Health Space” system was so that the patient could see their own record online without having to pay for it, I would like to check mine as I sometimes think that what has been said/written in them is not always an accurate representation of what w as (or what I understood was said) said at a GP visit, or hospital appointment. I have had a Health Space account since March 2010 & was told, by letter, that my SCR would created by June 2010. So far -October 2011, this has not happened so I contacted them I am awaiting a reply from the Health Space people as to why it has not happened. My account is password protected.

I find it hard to believe any large organisation is to be trusted with our personal data. The bigger the organisation, the less I trust. And with the government, I don’t trust them at all!

There seems to be little common sense these days. The rigmarole of going through anti-laundering security to sell a house or purchase some foreign currency seems totally ott to me.

I trust my doctor, but I don’t trust the computer systems or the procedures for handling sensitive information. Even MPs throw private correspondence in public bins.

Jason says:
5 November 2011

I don’t know why people are complaining so much: We get the NHS for free (at point of delivery) and (to keep costs down) it employs staff for as little possible and provides meagre support for these workers. High quality service and top quality staff backed by world class systems is not on the agenda as the British public has shown no desire to pay more either via taxes or personally (private or co-payment systems). We have clearly got the NHS we have paid for which means demoralized, substandard clinical and managerial staff who have a correspondingly low interest in the niceties of data protection and refraining from idle gossip about patients.

Ken H says:
5 November 2011

I refused a request from my GP to allow my medical information put onto the National Database, but when I had to contact NHS Direct they asked my permission to access my details online, and could quote information that I would only choose to discuss with my Doctor.
I refused to go onto the database in the first place, knowing that anyone in the NHS could access my private information, and from past experience I know that there is no effective protection from hackers and persons searching for personal information. I have since received offers from private medical companies directly related to my medical condition that can only have come from confidential information, and this has only happened since I refused to to onto the National Database. No doubt someone is making money by selling my personal medical information.

busy b says:
3 February 2012

Instead of spending such vast sums on well paid IT consultants & new hard wear – sort out the other problems the NHS has first, before embarking on new venture – This is the GROUND WORK for a UK NHS branded ‘IDENTITY CARD’ !

I am currently waiting for my local NHS trust to come up with a decent explaination of why and how they managed to lose my data. Which was copied onto a private and un encrypted USB stick. This they said was found near by the hospital grounds… I dont believe in anything they say and would you! This occured at the Eastbourne DGH.

This comment was removed at the request of the user

This comment was removed at the request of the user

I occasionally wonder whether the NHS should be turned into another constituent part of the United Kingdom with its own elected Parliament, its own revenue raising powers, and its own engagement with the population. It seems at the moment that there is no consistent way in which the funds available are allocated, or decisions made about which procedures or treatment programmes can or cannot be afforded, there seems to be no rational, equitable and accountable philosophy about the objectives of the service and the priorities in terms of a hierarchy of access to treatment and intervention. I might be doing the NHS a great disservice, but if all this is being taken care of why is it not in the public domain?

To some degree, treatment is available according to whether a drug happens to be on the market that relieves the condition, or whether a procedure has been developed to restore bodily functionality, but then only if the relevant NHS trust has any money left in its budget, hence the ‘postcode lottery’. This is not rational, nor efficient, nor ethical.

Where is the debate taking place about the rights and wrongs of costly treatments deriving from the consequences of self-selected lifestyles or behaviours? Is sustaining life always the right answer? Is denial of treatment a legitimate response in certain conditions or circumstances? Why are hospices having to be funded by charitable resources? Should there be a national nurse recruitment, training and development programme that also concerns itself with the health and safety of the nurses themselves? As the gatekeepers to the NHS’s advanced services, are the GP’s enabled and guided to making the right decisions, and should the only criterion be the best interests of the patient? What is the value and role of preventive work and education in the allocation of resources? Is there a place for a compulsory triennial examination to screen for incipient conditions and develop personal treatment or alleviation programmes? Should the NHS intervene in the availability and consumption of unhealthy products?

Questions such as these are probably being debated within the internal committees of the Department of Health and the NHS apparatus but the only things that seems to come out are reports that if all hospitals bought the same toilet paper we could save a million pounds a year and the debate descends to that sort of level.

There are two problems: we’re living longer, although not necessarily more healthily, and treatments have become both far more effective and far more costly.

It’s not unique to us. Every developed country has the same issues, but few are prepared to raise taxes sufficiently to pay for it. Denmark is, however, and perhaps they offer a route forward.

The additional problem in this country, for historical reasons, is that we have this sense of entitlement to a completely comprehensive health service with no budgetary or staffing or equipment limitations on its delivery. You could double the scale of the NHS and still leave dissatisfaction. Politicians will not face up to this. Once again in the UK public services, in terms of resource provision, the best has become the enemy of the good.

It’s tricky, isn’t it? Repeated crises with A & E, bed blocking, shortage of GPs – al these require different solutions. You could attempt to ameliorate the worst times at A & E with a few simple measures, such as more rapid and effective triage teams, better security and a more intolerant approach to abusers and drunks. But bed blocking, which I believe is one of the worst issues, exists because ancillary and post-operative services have been slashed, so hospitals (whose hands are full with treating people) are having to spend valuable time attempting to liaise with social services in various other counties and – because hospitals can’t simply throw old folk out on the street – the patients are stuck.

But social care budgets have also been slashed, so they’re stuck too. There are no villains in all of this, much as we might like to find some. It’s a question of funding the services we have adequately which means tax rises.