NHS staff breach patient data daily

NHS staff breached data protection policies five times a week on average over the past three years, with some posting patient information on Facebook.

Freedom of Information Act requests by privacy campaign group Big Brother Watch reveal at least 806 separate incidents at 152 NHS trusts in which patient medical records were compromised over this period.

Patient information was posted on social networking sites in 23 incidents, including one at Nottingham University Hospital NHS Trust in which a medical staff member posted a picture of a patient on Facebook. That staff member was one of 102 who were dismissed as a result of the breaches.

The report also identifies 129 incidents of NHS staff accessing or disclosing the medical details of a colleague or family member.

“If NHS staff cannot be trusted to abide by data protection policies when it comes to their colleagues and family, then they raise serious concerns as to the need for them to have any access at all,” the report says.

Another 57 incidents involved confidential information being stolen, lost or left behind by staff, incidents involving paper records, laptops and memory sticks.

“It is deeply concerning that in a number of cases data was not encrypted where stored electronically, or was not properly concealed and secured in the case of paper records,” it says.

Big Brother Watch director Nick Pickles said the research highlighted how the NHS was “simply not doing enough to ensure confidential patient information is protected”.

“The information held in medical records is of huge personal significance and these cases represent serious infringements on patient privacy,” he said.

“As the Summary Care Record scheme is rolled out and an increasing number of people have access to private patient information, urgent action is needed to ensure that we can be sure our medical records are safe.”

Forty-four trusts did not respond to Big Brother’s information request and 55 provided a partial response or refused to release the information, with some citing data protection issues.

Pickles said failing or refusing to disclose that a data breach had taken place was “unacceptable”.

“It is questionable at best for trusts to use the Data Protection Act to withhold details of data breaches when those NHS employees involved have failed to show the same respect for the privacy of patients or the law.”

The report comes days after the Commons' justice select committee argued courts should have the power to punish people breaching the Act with prison sentences, saying fines were an "inadequate" deterrent.

Health minister Simon Burns said the government had issued clear standards and guidance to the NHS about what needed to be done to keep patient records secure and confidential.

“Any member of staff discovered intentionally breaching this should be subject to appropriate disciplinary action,” he said.

An Information Commissioner’s Office spokesman said the ICO recently issued a joint letter with NHS chief executive, Sir David Nicholson, warning the health service about the importance of complying with the Act.

“We continue to work with organisations from across the NHS to improve the security of patients’ information and will consider taking action where it is clear that an organisation has failed to meet its legal obligations,” he said.

Only yesterday (October 27), the ICO issued an undertaking against Coventry and Warwickshire NHS Trust after the trust was found in breach of the Act.

In February, records relating to the treatment of 18 patients of the Trust were found in a communal waste bin at a residential apartment block.

In May, a member of the public found details of a patient’s sensitive medical procedures and test results in a bin outside Coventry University Hospital.