Investigation compiles grim catalog of NHS data breaches

The U.K.'s National Health Service (NHS) has lost confidential medical records and personal details of thousands of patients, according to an investigation into how the health service handles data.

Research showed that a series of losses and thefts had potentially exposed the private details of 10,000 patients around the country. The figures, obtained through a Freedom of Information request made by the Liberal Democrats, revealed incidents of data loss dating back as far as 2006.

In some cases, the patient record loss was so serious that 25 patients were visited by the police and NHS management.

In one instance, a backup tape of an entire system was stolen from a general practice in the east of England this year. In other incidents, a laptop containing more than 5,000 patients' details was stolen, and a memory stick containing 4,000 patients' records was lost. A total of 135 cases have been reported since 2006, including the loss and theft of diaries, briefcases, CDs, laptops, memory sticks and, in one case, a vehicle containing patient records.

In the past year alone, 75 NHS data breaches have been reported to the Information Commissioner's Office (ICO), according to a report released today. Jonathan Bamford, assistant information commissioner, urged the public sector and businesses to take data security more seriously.

Norman Lamb, Liberal Democrat shadow health secretary, said there must be a "fundamental re-examination of how the NHS deals with personal data". He called for better security around mobile devices and said the NHS' National Programme for IT should be abandoned.

"We already know from the information commissioner that the NHS is among the worst offenders for data loss, reporting as many incidents as the entire private sector," he added.

Speaking on the data losses on ITV's News at Ten program, Chaand Nagpaul, IT representative at the British Medical Association, said: "A lot of this is because doctors need access to mobile information about patients. That is there to help patients; however, we do believe there need to be serious safeguards."

The Department of Health said NHS Chief Executive David Nicholson had written to all senior health managers at local NHS trusts to remind them about their responsibilities around protecting data. "The NHS locally has legal responsibility to comply with data-protection rules. They are expected to take data loss extremely seriously [and] be open about incidents and about the action taken as a result," a departmental spokesperson said.

In another twist, two trusts -- NHS Tayside and NHS Lanarkshire -- were found in breach of the Data Protection Act by the ICO. The watchdog agency said confidential health records were found in abandoned buildings on the site of former hospitals in Dundee and Carluke, Scotland. The ICO has demanded that both health boards sign an agreement to follow the Data Protection Act and stick to recommendations made recently by NHS Quality Improvement Scotland to make sure it does not happen again. If the trusts fail to comply, they risk further enforcement action and possible prosecution.

This story, "Investigation compiles grim catalog of NHS data breaches" was originally published by Computerworld UK.

Copyright © 2008 IDG Communications, Inc.

Download: EMM vendor comparison chart 2019
Shop Tech Products at Amazon