NHS 'loses' thousands of medical records
Exclusive: Information watchdog orders overhaul after 140 security breaches in just four months
The personal medical records of tens of thousands of people have been lost by the NHS in a series of grave data security leaks. Between January and April this year, 140 security breaches were reported within the NHS – more than the total number from inside central Government and all local authorities combined.
The sacred principle of doctor-patient confidentiality is being compromised, Richard Thomas, the Information Commissioner, has warned. Britain's information watchdog has ordered an urgent overhaul of data security in the health service.
Some computers containing medical records have been left by skips and stolen. Others were left on encrypted discs – but the passwords allowing access were taped to the side.
In an interview with The Independent, the Information Commissioner's chief enforcer blamed the growth of a "cavalier attitude" among NHS workers across Britain for the exposure of the sensitive records.
Mr Thomas has written to the Department of Health's top civil servant, Hugh Taylor, demanding immediate improvements to the lax treatment of personal data within the NHS.
He plans to send in a crack team of inspectors to examine how data is protected by hospitals and medical workers across Britain. Over the last six months, the watchdog has been forced to take action against 14 NHS institutions for breaching data regulations.
One GP downloaded a complete patient database, including the medical histories of 10,000 people, on to an unsecured laptop. The laptop was then stolen from his home and never retrieved. In another embarrassing breach, a memory stick containing the medical histories of 6,360 prison patients and ex-inmates of Preston prison was lost. Though the data was encrypted, the password was written on a Post-It note that was attached to the device.
Camden Primary Care Trust was also found guilty of a major security breach after old computers, containing the names, addresses and medical notes of 2,500 patients, were dumped beside a rubbish skip near St Pancras Hospital last summer. The computers, which were not encrypted, were stolen and never recovered.
The Department for Health has already responded by issuing an urgent plea to hospital managers to arrest the data breaches being committed by doctors, nurses, security and management staff.
It has reminded them of rules on encrypting private patient data and those on transferring files.
Mick Gorrill, the assistant Information Commissioner in charge of enforcement, told The Independent that a number of "inexcusable" data losses within the NHS had become a cause of "great concern".
"Medical history is very sensitive personal data, which is likely to cause harm or distress. The law dictates they must keep this information confidential, but the NHS is by far the biggest offender within the public sector," Mr Gorrill said.
"There needs to be a recognition that this information affects real people and can cause real harm if lost. Just as workers would never disclose information they had been told by a patient, they should also treat information in exactly the same way."
He added: "There is a complete disconnect between the procedures laid down by managers and what happens on the ground. We need a complete audit to try to change the culture."
He warned that while the loss of the data caused obvious distress among people who expected their medical details to be kept secret, there was also a market for the data.
"We know that some insurance companies already hire private detectives to find out medical histories," he said. "This information could do a lot of damage to many people if it fell into the wrong hands."
NHS bodies soon face substantial fines for breaches under new powers to be handed to the Information Commissioner's Office (ICO) by the end of the year. "We would not want to impose a fine as they have better things to spend their money on. But in some of these incidents, we would have little choice," Mr Gorrill said.
"For example, a man who has had cancer or a vasectomy may have only told close family. To think that is lost and in the public domain would cause obvious distress. We need to change the cavalier attitude to data of a Facebook generation."
Michael Summers, vice-chair of the Patient's Association, said that the action from the Mr Thomas was long overdue as patients had been expressing concerns over the loss of their personal data for years.
"It is a bit late as no one has been taking responsibility for sorting this out," he said. "Patients have grown up with the idea that what they tell their GP will not be divulged. These data losses totally undermine that, causing great worry to many people."
A spokesman for the Department of Health said that Mr Taylor, the permanent secretary at the department, would be replying "in due course" to Mr Thomas's concerns. He said that action would be taken "against anyone responsible for breaching our strict data protection rules".
The spokesman added: "The Chief Executive of the NHS wrote to all senior health managers reminding them of their responsibilities.
"The Department is also providing, through the National Programme for IT, electronic patient records systems that are protected by the highest levels of access controls and other security measures, a secure NHS network for exchanging information that is centrally monitored and strongly protected and secure NHS email facilities that encrypts all data in its system."
The number of data security breaches within the NHS was only slightly lower than the total number of security breaches reported to the Information Commissioner from within the entire private sector. Stolen and lost hardware was the most common reason for information disappearing.
Privacy emergencies: NHS security breaches
*Computers containing the names, addresses and medical notes of 2,500 Camden Primary Care Trust patients were left beside a skip at St Pancras hospital, London. The computers, which were not encrypted, were stolen and never recovered.
*Medical details of 6,360 inmates and former inmates at Preston prison were lost after a memory stick was taken outside the grounds and went missing. The date was encrypted, but the password had been helpfully written on a note taped to the device.
*Cambridge University Hospital lost an unencrypted memory stick carrying treatment details of 741 patients was taken away in a staff member's car. The stick was found by a car wash worker who worked out who the device belonged to after accessing it.
*The unencrypted medical histories of 2,300 cancer patients were compromised by Hull & East Yorkshire Hospitals NHS Trust after the theft of a desktop computer and a laptop.
*Two laptops were stolen from Central Middlesex hospital, and a desktop computer from nearby Northwick Park hospital, after the card security system was disabled for maintenance. Test results of 361 patients were lost. The details were encrypted.
View all comments that have been posted about this article.
Offensive or abusive comments will be removed and your IP logged and may be used to prevent further submission. In submitting a comment to the site, you agree to be bound by the Independent Minds Terms of Service.
- Print Article
- Email Article
-
Click here for copyright permissions
Copyright 2009 Independent News and Media Limited


Comments
.Thank You.
Safaa Elsherif
IT Consultant.
safaa2000_eg@yahoo.co.uk
People who are working less tghan 5 years,inside or about should pay full fees for hospital to help such expensive technology.
http://www.thebigoptout.com/?page_id=3
Accordingly loss of sensitive data is to be taken as a normal consequence of keeping data, and a change of mindset is required to accept that.
It is no good and its frankly ludicrous to continue setting up databases to be surprised and condemnatory of data losses when the natural consequence is for data to be lost.
High propensity for data to be lost should be factored in from the outset when deciding whether databases should be set up in the first place - Perhaps that much is now sinking in with MPs whose own personal data loss is currently exposing their extravagant expense claims. No, your'e right, it probably isn't.
Blame the insane privatisation process, in this case the contracting out of the IT systems to incompetent private contractors.
Support KEEP OUR NHS PUBLIC and join or set up your own local group.
http://www.keepournhspublic.com/index.p
So, you can take your ID cards, Gordon, and you can shove them where the sun don't shine!
http://www.youtube.com/watch?v=CnqCUvGh
hospitals and medical workers across Britain."
At our expense. If ever a phrase could repalce the old adage about locking
" ....the stable door after the horse has bolted" the phrase above is a prefect repacemtn. !!
Why aren't sensible security systems already in place ?
If they are - I expect to see several people being sacked . But it's unlikely !!
What is the point of having all this fancy - and very VERY expensive equipment - when you let monkeys use it ?
How many more private details are going to be lost ??
We read of one mllion pound IT disaster after another , involving the government
and the civil service.
On alternate weeks there has been substantial loss of private data.
So they waste million one week - and lose all the information they have collected the next !
never mind - it's only OUR money and OUR lives.
maybe they don't - but that is no reason to abdicate ALL personal responsibility.
if you do something stupid - you should look in the mirror - not over your shoulder.
Civil servants have too much power over the citizens of this country - and often
excercise that power with no consideration, fairness or justification.
They delight in lecturing people and using the full power of the state to bully people.
I had to complain to my MP about unreasonable behviour of one department.
I did this because after many years of running a small business - and being bullied by petty bureaucrats from one government department or another - I was at the end of my tether.
This was not the first time - it was one of many irritating and unecessary confrontations with
people who have nothing better to do with their day than force people to account for every
move they make and very penny they spend.
To think, I did not bother claiming petrol - used on business - because I could not be bothered with the excessive and intrusive records the Inland Revenue demanded. ( I know it's the HMRC now ) -
but I now see a government minister claiming for a Kit Kat !!!
Civil servants - little or no accountability - yet a lot of power over people.
furore, debate and distraction hides what is truly happening, by quietly invoking into law, further "legal" abuses to our personal private
data whilst our backs are turned.
Big issue, very important, read here:
http://www.guardian.co.uk/politics/2
Beyond financial charades, corporate abuses, ministers expenses and many other issues that have become public knowledge in recent times,
"the people" are denied proper and open debate on our basic freedoms.
We must stop this.
The Executive Branch of Westminster must warrant the closest scrutiny and investigation on all of the events of recent times immediately.
Write to your MPs, form action groups, contact anyone that may assist in putting a stop to this crime against the people.
I suggest we form some working parties of our own, online. Let's cook this stuff!
Stacked by a skip with the password taped to the side says more of a complacency, says to me "dead drop" or "cold drop", I think an examination of some of the people involved and the sudden appearance of a new car, mortgage paid off or inexplicable promotion might draw a line to what is really going on here.
After all, it's inconceivable isn't it that the Labour created/run NHS would employ ill-qualified staff to just to save money.
When Trains were privatized ,school leaver used by "hidden hand" to ask them to put shapes to delays the trains,trains lost their name,"virgin" and privatizes the service after they ruined the name,so they bought it cheap.
Hospital gradually lost the names ,moral of Medical staff is low,efficiency is poor,at high cost,hand on hand the bankers put their knifes in the NHS by buying the hospital from inside,Restaurant,service,security,parki
Imagine that your money is used by the bankers to privatize your own intuitions...?
Be aware that media knows less than reality,Zion Protocol was not believed though our life is full of facts of what Zion planed to the world,day after day i an convened with this.
Or if really must collect it, don't keep it on a massive centralised database?
The trouble seems to lie in the local data protection culture - e.g. the average general medical practice has about 6,000 patients, and obviously the practice has to keep medical records for them: before computer memory was so cheap, these records would have filled several filing cabinets, and no-one would ever think of carting all those home at night-time. Now that a single memory stick can store all these records, people take copies *just because they can* (and then lose them).
A similar previous example was the naval officer who lost a laptop containing details of everyone who had applied for the navy in the last seven years (600,000 people). Why did he think he had any need to carry all that data around ?
It is people's attitudes to security that needs updating, not the security itself - if a bank worker did the same with all his customers' records, he would be sacked - NHS workers should have the same threat hanging over them, then they might take some notice ! The same goes for when they authorise disposal of a computer : whoever authorises the disposal must be held responsible for ensuring that all data is wiped before the hardware leaves the site.
It's just a knee-jerk reaction though to call for the national databases to be scrapped: if one bank-worker failed to protect data, would we say the whole banking system should go back to paper-and-pen records ?
The problem is, with a million accredited users, some will pull your record if bribed.
The "sealed envelope" approach could serve as a disincentive to this sort of crime, but the UK government's track record on data security is poor and does not inspire confidence.
Not wishing to contribute to such a database as a GP was certainly a factor in my deciding to quit the UK.
I thank you
Firozali A. Mulla
reverse infertility
Legit Online Jobs
stop Panic attacks without medication
Colon Cleanse Detox
Does HGH work
Are these stolen medical records being sold on??????