GP surgery manager prosecuted for illegally accessing thousands of patients’ medical records

filesAs the year comes to an end, the successful prosecution of a former GP surgery manager for serious data breaches reminds us why we remain deeply concerned about lax attitudes towards our medical data. We have consistently argued that patients should have more control over their medical records and proper punishments should be issued to those who abuse their access to this information.

In September we wrote about the concerns of many GP’s about the new NHS system. Patients have had zero direct communication from the NHS about the program, with patient information posters are wholly uninformative and have only been displayed in GP surgeries, rather than being sent directly to patients. It is very simple; any change to how medical data is used should mean that we are notified to the highest standards, with an easy opt-out process.

Just this week a former GP surgery manager was prosecuted for serious data breaches, highlighting why we believe that patients should have the right to know if their medical records are found to have been illegally accessed. In this case, an individual had illegally accessed the medical records of more than 1,940 patients. Many of the records related to women in their 20s and 30s whilst the records of one woman, who is believed to be a school friend, and her son were accessed repeatedly.

Despite being found guilty, the punishment was merely fines of £996, a £99 victim surcharge and £250 prosecution costs. Until courts are able to hand out proper punishments to people who violate our privacy, individuals will continue to choose to ignore the law. The ICO and BBW remain frustrated about the lax punishments that are handed out for section 55 offences, and we repeat our call for more effective sentences, including the threat of prison, for those found unlawfully accessing or disclosing personal information.

Posted by on Dec 6, 2013 in Home | 2 Comments


  1. Anon
    17th December 2013

    And why did the GP surgery staff not notice that these records were being illegally accessed? What does this say about the audit trail that exists but is not monitored? To be able to illegally access nearly 2000 medical records shows the lack of supervision. The surgery surely has responsibility here too for not noticing these breaches were being committed? Or is it up to individual patients to get copies of their PDS (patient demographic system) data from the Department of Health on a regular basis to monitor who has had access to their records. This would be cumbersome but would ensure that patients are aware of everyone who has accessed their records (provided no-one has been given access via a colleague’s smart card log-in).

    It has gone quiet on the NHS front – patients need to be made fully aware of what is happening and how they can opt out – as you say, an easy opt out. At the moment the patient first of all needs to know about the system and process and then has to inform their surgery (hoping they know what you are referring to) that they want to opt out. This is not a reliable system.

  2. DD
    20th December 2013

    Having recently been diagnosed with cancer and currently undergoing treatment I have been dismayed to find out that my personal data including name and address will be submitted to the national cancer register without my consent and potentially made available to researchers forever. Whilst researching this issue I believe I can apply to my regional cancer registery to have only my NHS number used. To do so, I have to jump through hoops and provide all my identification details so this can be considered.
    Additionally, I have stumbled across the GPES plan for which unless I object will pass details of all my tests, referrals, diagnosis etc on a regular basis. Why are the press quiet on this matter?