• Media Enquiries

    07505 448925(24hr)

NHS patient confidentiality breached 5 times every week

A new Big Brother Watch report reveals how medical information is lost, shared on Facebook and how NHS staff look at each other’s medical records

According to Freedom of Information Act requests, between July 2008 and July 2011 there were at least 806 separate incidents where patient medical records were compromised, highlighted a shocking number of incidents in the NHS where patient medical records were accessed inappropriately.

This included:

  • 23 incidents of patient information being posted on social networking sites
  • 91 incidents of NHS staff looking up details of colleagues
  • 24 NHS Trusts saw confidential information stolen, lost or left behind by staff
  • 44 NHS trusts failed to respond to the Freedom of Information request and 55 Trusts refused to release all or some if the information requested.

Despite these breaches of Data Protection policy, just 102 cases resulted in dismissal of staff.

You can download the report here.

Nick Pickles, director of Big Brother Watch, said: “This research highlights how the NHS is simply not doing enough to ensure confidential patient information is protected.

“The information held in medical records is of huge personal significance and for details to be disclosed, maliciously accessed or lost and these cases represents serious infringements on patient privacy.

“As the summary care record scheme is rolled out and an increasing number of people have access to private patient information, urgent action is needed to ensure that we can be sure our medical records are safe.

“It is essential the NHS is transparent about these incidents and failing or refusing to disclose that a data breach has taken place is unacceptable.”

Speaking at the 10th annual data protection compliance conference in London, Information Commissioner Christopher Graham said data breaches in the NHS continue to be “a major problem”. Of the 47 undertakings the ICO has agreed with organisations that have breached the Data Protection Act since April, over 40 percent (19) were in the healthcare sector.

The research follows on from an earlier Big Brother Watch report ‘Broken Records’, which highlighted how more than 100,000 non-medical personnel working in NHS acute trusts in Britain have access to confidential medical records and comes days after the Commons Justice Select Committee argued courts should have the power to punish people breaching the Data Protection Act with prison sentences, saying fines are an “inadequate” deterrent.

Download the report here.

Posted on October 28, 2011 by Big Brother Watch Posted in Data Protection, Home, Research and reports, Social Networking
  • handsoffmydata

    This is just the very tip of the iceberg. In my experience the real problems lie in all the breaches that are taking place on a daily basis and are not being recorded because so many NHS staff do not understand enough about data protection and what constitutes a breach – unfortunately my data has been breached many times by the NHS and this has resulted in me opting out of most NHS services as I cannot trust the NHS to hold and process my data in accordance with DPA and my rights.

  • Stephen Hoffman

    This is why the Coalition’s revival of the NHS Summary Care Database that goes against both Conservative and Liberal Democrat Party Manifestos is so disgraceful. Thanks once again Big Brother Watch for showing how dangerous large databases are in relation to individual freedom and privacy.

  • Grandpa1940

    When the NHS letter came through the door advising us of the Spine Database etc., I nearly fused the power in writing to state categorically that neither I nor my wife wished our details uploaded onto any sort of database, especially one as leaky as the NHS, or indeed any Govt. database.

    Between losing laptops at the rate of seventy-odd every day, plus losing 26 million entries on a CD pack, plus all the other disasters, reported about these totally unguarded entities, I’d rather trust my medical details to a firewalled GP surgery, plus explaining my symptoms if necessary at or in a hospital.

    From personal knowledge of NHS hospital IT practices, where the cleaners can log on to a patients records, I prefer the anonymity of ‘opting out’ of all such services!

  • David Melchiz

    You can rest assured that some sections of the NHS are now busy straining gnats so that they can appear to be extremely concerned about the security of patients records. I know this for a fact because my daughter, a dedicated hard worker in the NHS, is being dragged over the coals by her branch of the NHS in North Staffs (a notoriously inefficient group that those with long memories will remember for being found guilty of possessing one of the filthiest hospitals in UK recorded history and numerous resultant deaths!). The individual involved in the witch-hunt against my daughter waited until she was concussed after a blow to the head before preventing her obtaining the further medical attention she needed so that she could pursue a vendetta against her and grill her about ‘missing patient records’. These 24 (or so) sets of notes could have been lost in any number of circumstances since the predecessor (in the job subsequently occupied by my daughter) left the position and notes she should have handed over (considerably more than 24 sets) were never located. During the initial investigation my daughter’s boyfriend was allowed to take other notes that she did hold at home (under lock and key as part of her normal, approved, North Staffs/NHS working methods) to the manager who put in the complaint against my daughter. This manager then discussed some of the records with a colleague in front of the boyfriend using the names of some of the patients and thus breaking another north Staffs/NHS guideline! There are many other aspects to this case which the powers that be will doubtlessly gloss over in their attempt to maintain the high moral ground. For instance, we know that they have already ‘quietly’ attempted to silence those who might have been thinking of coming forward to expose the whole situation (much as Tevez’s Manchester City team-mates never ‘heard’ him to refusing to ‘play’ so there were no corroborating witnesses to that debacle) by warning them of the consequences (overall patient record-keeping in that establishment was a recognised ‘joke’) if they get involved. I have already written a letter of complaint to the ‘managers’ involved and their attempted answers were laughable. The good news is that my daughter has a barrister defending her in the impending ‘investigation’ but she has already lost one job she had set her heart on as a result of an ‘Addendum’ written by North Staffs to a potential employer, before anything has been proven in this investigation! Despite this she has been accepted for every job she has applied for since leaving North Staffs and has worked constantly, although having to put herself out and suffering reduced income as a result. For anyone thinking she is ‘lucky’ to have a job I would ask them to investigate the level of security that may be employed by their authorities. Here in Cardiff, for example, you can hang around the different areas handling patients in the University Hospital, Heath, and find that patient records are transported in an unlocked supermarket trolley! This is the kind of record handling that was employed where my daughter worked – and absolutely anyone could have taken the ‘missing records’ and no one can prove when they went missing. I can put the details of this farce on the Internet when my daughter’s case is concluded, but it will probably just join the long list of similar horror stories that will not cease – even if huge sums are paid out in compensation after lengthy court cases that cost our cash-strapped, inefficient NHS, more funds that should go to improving services and rescuing patients from the incompetent muppets running the present show.

  • Jodunkley11

    Now that this issue has finally been uncovered could I ask why these people were not sacked. I was one of the patients this happened to and due to not being satisfied with the hospitals response no longer will use the hospital and has been very problematic as a result. Not only did TWO in-laws read my hospital records ONE hounded me for months after, shouting all my private confidential hospital records contents that she had read, in very public places for all to hear – NOT VERY CONFIDENTIAL AFTER THIS. Upon writing to the hospital again informing them of this behaviour by the still employed family member, their response was they have dealt with her and her new actions had nothing to do with them. When the coventry University Hospital was the place she obtained all her knowledge from, about my illness’s. So she kept her job and I was made even more unwell due to her actions but the university hospital wasnt interested. At last someone has made it public well done Big Brother at last someone has stuck up for the victims. Thank you.

  • Pix

    @Jodunkley11 – what a totally dreadful and unacceptable situation to have found yourself in. The hospital’s reaction is so typical and does nothing to promote or satisfy data protection. Have you made a complaint about this to the Information Commission? If not you might want to consider it because the hospital would then have to justify its actions to some degree. If the person doing this and breaching your confidentiality is using data obtained from the hospital then it is very much a case for the hospital to deal with. Perhaps writing directly to the Chief Executive and informing him/her that you are contacting the Information Commissioner would help to move things along. The Information Commission telephone helpline (details on their website) http://www.ico.gov.uk can assist you with advice about how to make a complaint. Good luck.

    In my own case relating to breaches of my data in the NHS I made formal complaints to the Information Commission and they found in my favour. I removed my records from the hospital (their lawyers agreed that this was reasonable given their inability to keep my data confidential) however the hospital did not improve their ways and seemed to learn little or anything from the investigation. Further breaches happened but nobody seems to really care about the damage that this does to individuals and how difficult it makes it to trust e.g. those in the health profession – so difficult to go to the doctor for treatment when you are worried about confidentiality.

  • Pingback: The Independent View: The Coalition needs to get serious about protecting citizens’ privacy

  • David Melchiz

    Further to my earlier entry (see lower page under my name) – and now my daughters’ tribunal is over and she has been rewarded with a caution for her part in the errors (this hangs over her head in her particular field of expertise for 3 years so that she has to declare it whenever she applies for another job) – I can reveal that, as expected, every other aspect of the incompetence and inefficiency of her department was glossed over with the agreement of her barrister so that ‘a deal’ was basically struck in the hope of obtaining a ‘lighter sentence’ and obviously not embarrassing those in authority who allowed this situation to develop and failed to take any effective action to remedy it (even though tacitly admitting to the tribunal that they knew it existed before they made an issue out of it – but not that they quickly rushed to use it when they ‘came to power’!). This ACE (A*** Covering Exercise) even heard from at least one witness that personal animosity clearly played a part (as I described earlier) and told the tribunal that the offending ‘manager’ was generally disliked, i.e. they were shown to be making an issue/vendetta out of it for personal motives even though they had to agree that the issues my daughter had brought up in her resignation letter were recognised as valid! It is a familiar story which is replayed in countless courtrooms and tribunals and which leads to a discriminating judgement unless you are fortunate enough to be able to pay for top defence representatives who can get you proper justice. Again, when media such as the Daily Mail have revealed that the NHS loses – on average – 800 patients records per day, this tribunal took hours of paper sifting, repeat interviews, three days to swan it up in a hotel in Cardiff, loss of the same number of working days for all the witnesses called (one by video link from Staffs who required a ‘carer’ to ensure she did not suffer a health blip while giving her testimony!), all at public expense for the sake of 24 sets of patients notes?! If we do this for every example discovered in the NHS we won’t need to be concerned about our national debt – or the euro – because we will all be living in tents. As Sheldon might say: ‘Bippity-boppity-boo’!

  • Harvey

    Staff probably do access information on a daily basis but there is a huge lack of knowledge with the staff. It cannot be deemed to be the staffs fault each trust will have hundreds of policies and procedures making it virtually impossible for the staff to know them or to follow them all. The trusts and the managers need to take responsibility for their staffs lack of knowledge and start making each staff member who has access to computerised records to under take on-line modules on the information governance site which has now improved my knowledge substantially to know what I can and what I cannot access. The trusts will happily sack staff but do not take any responsibility for it so it will continue to happen.

  • hcvwdhcvwiy23u98903

    B.B.W. should send someone along to Southend and Basildon Hospitals in Essex; if I had a pound for every time I have seen another persons medical record left unattended I’d be rich! 

  • John4

    For a short time I was a security guard on a secure forensic mental health unit. When on reception I had access to every physical file on every patient and all their current status and treatment. This was due to the security reception being located in the secretarial office. No kind of security on the files at all just left there for any of us to view. No doubt much of the information could have been passed to the press if they had ever offered. Not that I would have done that. I only stayed a short while there, the staff were madder than the patients.

  • Jeatough70

    is it possible to check if ones records have been accessed for malicious reasons.if they have,what action can be taken. is it possible to find out who was responsible

    • David Melchiz

      Unlikely in most cases but, when numpties have accessed computers which record who made the search and when, a number of people have been caught and disciplined.  The temptation to look is beyond many and they are usually shown the door as the serious nature of such an offence is made very clear to staff who have to enter a password to gain access (in ‘most’ cases).  Police and tax computer records are common targets for those who simply must look!

  • Becky

    personally i think this is appalling that the NHS has leaked some of peoples personal information on social network websites!!