Failures over patients’ information nearly double at hospitals and other NHS bodies
By Matthew Gilley | 29 February 2016
“Storing any personal information is inherently risky” – Simon Rice, technical manager, ICO
Security breaches over personal data held by the NHS nearly doubled to more than 100 during the last financial year, Exaro can reveal.
Figures obtained under the Freedom of Information Act show that there were 105 such breaches in hospitals and other bodies in the National Health Service in the financial year 2014-15. This was an increase of 81 per cent on the previous year, with 58 security breaches over personal data.
The Information Commissioner’s Office (ICO), which regulates the protection of personal data, supplied the figures to Exaro. It said that action was taken to prevent repetitions, including six “enforcement notices” against NHS bodies in 2014-15.
Daniel Nesbitt, research director of Big Brother Watch, which campaigns on protection of personal data, said: “Urgent action is needed to ensure that medical records are kept safe.”
The breaches covered the loss or theft of personal data, or some other way that information was compromised.
The figures give no indication on how many people had their data compromised.
There were 21 security breaches with personal data at private health companies in 2014-15, up from 10 the previous year.
Birmingham and Solihull Mental Health NHS Foundation Trust had the highest number of breaches in 2014-15 – eight. The trust provides mental-health services in the region from 50 sites, including acute wards and day centres.
A spokeswoman for the trust said that it had “a strong commitment to information governance”. She said: “All Information incidents are investigated, action considered, lessons learned are identified and fed back to all staff.”
“In 2014-15, the trust volunteered for an audit by the Information Commissioner, and the result was ‘reasonable assurance’ which acknowledged the well-established systems and processes.”
North Tees and Hartlepool NHS Foundation Trust, which runs two hospitals, and Central London Community Healthcare NHS Trust, which provides health services in people’s homes or in clinics across the capital and Hertfordshire, each had five such breaches in the last financial year.
In one incident at North Tees and Hartlepool NHS Foundation Trust, according to the ICO, a folder with “highly sensitive personal data” was found at a bus stop.
The ICO found that the trust’s rules around secure transportation of documents were “impractical”. It imposed an enforcement notice to force the trust to improve data protection.
Lynne Hodgson, director of finance, information and technology at the trust, said: “Where possible, we have put in place technical solutions to mitigate and reduce the risk of the high human-error factors involved in these incidents.”
“We are confident that these actions will, as far as humanly possible, prevent such incidents happening again.”
A spokeswoman for Central London Community Healthcare NHS Trust said that it had also improved the security of patients’ data in response to the breaches. “All security breaches within our organisation are taken very seriously,” she said.
Simon Rice, technical manager at the ICO, said: “Storing any personal information is inherently risky.”
“This is why, if you are collecting personal information, you must make sure you are looking after it in a safe and secure manner.”
Big Brother Watch’s Daniel Nesbitt said: “The information contained in our health records can reveal a huge amount about us. For this reason, it is vital that it is kept secure.
“With an increasing number of people who have access to patients’ information and with databases growing larger and larger, the threat of data breaches will only become worse.”
He added: “The punishments available must reflect how damaging these cases can be.”
The sheer volume of personal data held by the NHS goes some way towards explaining the large number of security breaches.
After the health sector, the most breaches in 2014-15 were in local government, where there were 86, up from 79 the previous year.
There were also 17 breaches of personal data in “policing and criminal records” last year, and the same number in 2013-14.
That was only one less last year than for the telecoms sector, which has suffered some high-profile security breaches over personal data.
The Metropolitan Police Service had five breaches, which a spokesman blamed on human error.
The Met had a “robust security policy”, said the spokesman, who admitted that the breaches were nonetheless “a matter of concern”.