Millions of personal medical records have been lost by NHS trusts and hospitals, in the latest of a long series of data breaches which include staff losing laptops and memory sticks, and in one case faxing details of patients’ operations to the wrong number.
The Information Commissioner will impose fines of up to £500,000 on hard-pressed NHS trusts and hospitals in order to counter what he called a “disturbing” culture in the health service.
Millions of individual records are believed to have been lost and the Commissioner, Christopher Graham, has called a meeting with the chief executive of the National Health Service Sir David Nicholson to discuss the problem.
“There’s just too much of this stuff going on,” Mr Graham told The Independent. “The senior management is aware of the challenge but the breaches continue. Whether it’s a systemic problem in the NHS or an epidemic we have got to do something about it.
“Health service workers look after their patients very carefully but don’t always look after their data very carefully.”
Mr Graham warned of the dangers posed by a market in unlawfully obtained personal data that was being fed by tabloid journalists, the insurance industry, lawyers acting in divorce and child custody cases, and people looking for vulnerable individuals to target in scams.
He called for an increase in the penalties imposed in such cases, brought under section 55 of the Data Protection Act. “It’s a much wider problem and we do need some tougher penalties because the courts don’t seem to regard it as a terribly serious offence.”
The commissioner spoke out as he announced that five more health organisations had agreed to undertakings to improve security after being found to have committed major breaches of data protection. In February, Ipswich Hospital NHS Trust misplaced 29 records after a member of staff took them home to update a training log and then lost them. In the same month, a medical practice in Durham sent out details of patients’ operations to the wrong fax number. Other breaches were recently committed by East Midlands Ambulance Service NHS Trust, Lancashire Teaching Hospitals NHS Foundation Trust and Basildon and Thurrock NHS Trust.
The Information Commissioner is investigating how the NHS North Central London Trust managed to lose a laptop containing an estimated 8.3m patient records. It also recently emerged that thousands of notes belonging to cancer patients have gone missing from the abandoned Belvoir Park hospital in Belfast, which closed in 2006.
“It could either be deeply embarrassing and upsetting to people who are not well,” said the commissioner. “But also it’s a source of personal information which can be abused for all sorts of purposes about identify theft, blackmail or whatever. There’s a market in the unlawful disclosure of personal information that’s supposed to be protected by the Data Protection Act.”
He cited a recent case in Bury where information on accident victims was being provided to a claims management company. “It’s all too easy for information to be blagged from the doctor’s surgery. You can ring up, pretend to be somebody else and you are not very often challenged by the questions you would face if you were ringing up your bank. You don’t have to prove who you are.”
The Labour MP Chris Bryant warned last night that rogue private investigators might seek to obtain personal medical information for sale to the tabloid media. “One of the first things they seek to do is get hold of medical records, whether somebody has had treatment for depression, whether somebody has had drug or alcohol dependency, whether they have had an abortion or their HIV status, that’s the kind of things the tabloids make their money out of and it’s really important that hospitals and GPs and anybody in the health service is really tight on all this data.”
Mr Graham has written to Sir David to warn him that a period of reform in the NHS represented a “moment of maximum risk” of further data breaches.