NHS 'loses' thousands of medical records

The personal medical records of tens of thousands of people have been lost by the NHS in a series of grave data security leaks. Between January and April this year, 140 security breaches were reported within the NHS – more than the total number from inside central Government and all local authorities combined.

The sacred principle of doctor-patient confidentiality is being compromised, Richard Thomas, the Information Commissioner, has warned. Britain's information watchdog has ordered an urgent overhaul of data security in the health service.

Some computers containing medical records have been left by skips and stolen. Others were left on encrypted discs – but the passwords allowing access were taped to the side.

In an interview with The Independent, the Information Commissioner's chief enforcer blamed the growth of a "cavalier attitude" among NHS workers across Britain for the exposure of the sensitive records.

Mr Thomas has written to the Department of Health's top civil servant, Hugh Taylor, demanding immediate improvements to the lax treatment of personal data within the NHS.

He plans to send in a crack team of inspectors to examine how data is protected by hospitals and medical workers across Britain. Over the last six months, the watchdog has been forced to take action against 14 NHS institutions for breaching data regulations.

One GP downloaded a complete patient database, including the medical histories of 10,000 people, on to an unsecured laptop. The laptop was then stolen from his home and never retrieved. In another embarrassing breach, a memory stick containing the medical histories of 6,360 prison patients and ex-inmates of Preston prison was lost. Though the data was encrypted, the password was written on a Post-It note that was attached to the device.

Camden Primary Care Trust was also found guilty of a major security breach after old computers, containing the names, addresses and medical notes of 2,500 patients, were dumped beside a rubbish skip near St Pancras Hospital last summer. The computers, which were not encrypted, were stolen and never recovered.

The Department for Health has already responded by issuing an urgent plea to hospital managers to arrest the data breaches being committed by doctors, nurses, security and management staff.

It has reminded them of rules on encrypting private patient data and those on transferring files.

Mick Gorrill, the assistant Information Commissioner in charge of enforcement, told The Independent that a number of "inexcusable" data losses within the NHS had become a cause of "great concern".

"Medical history is very sensitive personal data, which is likely to cause harm or distress. The law dictates they must keep this information confidential, but the NHS is by far the biggest offender within the public sector," Mr Gorrill said.

"There needs to be a recognition that this information affects real people and can cause real harm if lost. Just as workers would never disclose information they had been told by a patient, they should also treat information in exactly the same way."

He added: "There is a complete disconnect between the procedures laid down by managers and what happens on the ground. We need a complete audit to try to change the culture."

He warned that while the loss of the data caused obvious distress among people who expected their medical details to be kept secret, there was also a market for the data.

"We know that some insurance companies already hire private detectives to find out medical histories," he said. "This information could do a lot of damage to many people if it fell into the wrong hands."

NHS bodies soon face substantial fines for breaches under new powers to be handed to the Information Commissioner's Office (ICO) by the end of the year. "We would not want to impose a fine as they have better things to spend their money on. But in some of these incidents, we would have little choice," Mr Gorrill said.

"For example, a man who has had cancer or a vasectomy may have only told close family. To think that is lost and in the public domain would cause obvious distress. We need to change the cavalier attitude to data of a Facebook generation."

Michael Summers, vice-chair of the Patient's Association, said that the action from the Mr Thomas was long overdue as patients had been expressing concerns over the loss of their personal data for years.

"It is a bit late as no one has been taking responsibility for sorting this out," he said. "Patients have grown up with the idea that what they tell their GP will not be divulged. These data losses totally undermine that, causing great worry to many people."

A spokesman for the Department of Health said that Mr Taylor, the permanent secretary at the department, would be replying "in due course" to Mr Thomas's concerns. He said that action would be taken "against anyone responsible for breaching our strict data protection rules".

The spokesman added: "The Chief Executive of the NHS wrote to all senior health managers reminding them of their responsibilities.

"The Department is also providing, through the National Programme for IT, electronic patient records systems that are protected by the highest levels of access controls and other security measures, a secure NHS network for exchanging information that is centrally monitored and strongly protected and secure NHS email facilities that encrypts all data in its system."

The number of data security breaches within the NHS was only slightly lower than the total number of security breaches reported to the Information Commissioner from within the entire private sector. Stolen and lost hardware was the most common reason for information disappearing.

Privacy emergencies: NHS security breaches

*Computers containing the names, addresses and medical notes of 2,500 Camden Primary Care Trust patients were left beside a skip at St Pancras hospital, London. The computers, which were not encrypted, were stolen and never recovered.

*Medical details of 6,360 inmates and former inmates at Preston prison were lost after a memory stick was taken outside the grounds and went missing. The date was encrypted, but the password had been helpfully written on a note taped to the device.

*Cambridge University Hospital lost an unencrypted memory stick carrying treatment details of 741 patients was taken away in a staff member's car. The stick was found by a car wash worker who worked out who the device belonged to after accessing it.

*The unencrypted medical histories of 2,300 cancer patients were compromised by Hull & East Yorkshire Hospitals NHS Trust after the theft of a desktop computer and a laptop.

*Two laptops were stolen from Central Middlesex hospital, and a desktop computer from nearby Northwick Park hospital, after the card security system was disabled for maintenance. Test results of 361 patients were lost. The details were encrypted.