Patient data security has been breached in four of the last five years, resulting in identifiable records being disclosed by the Government’s official information centre without authorisation or to the wrong recipient, a Freedom of Information request has revealed.
The security for hospital inpatient data – including medical information, alongside patient age and postcode – was breached every year from 2009 to 2012.
The Health and Social Care Information Centre – which was answering on behalf of itself and its predecessor organisations – disclosed the breaches in response to a request under the Freedom of Information Act by patient advocacy group, medConfidential.
The FOI asked for a ‘dated list of every known data breach involving Hospital Episode Statistic data’ including the number of records involved in each breach.
The HSCIC responses states: ‘We are interpreting the term “data breach” to mean an incident whereby access to identifiable HES data has been compromised and/or identifiable data has been provided to the incorrect recipient.’
‘…With regards to HES data, from 2008 onwards, I can confirm that we hold records of one ‘data breach’ in each of the following years; 2009, 2010, 2011 and 2012.’
A HSCIC spokesperson added: ‘The HSCIC’s predecessor organisation, The NHS Information Centre, recorded four data breaches between 2009 and 2012, one of which was committed by an external organisation. No patient harm was caused and each situation has been thoroughly investigated and appropriate action taken.’
A detailed audit of one of the breaches was included with the original FOI, the audit explains that a laptop used for accessing HES data by the London Health Observatory, was stolen in May 2011 with data including: ‘The full postcode and patient age for Hospital Episodes in 2009/10 throughout England’.
NHS England’s national director for Patients and Information, Tim Kelsey, previously said on the BBC’s Today programme, that ‘in 25 years there has never been a single episode in which the rules – very strict rules – have ever compromised a patient’s privacy’.
Phil Booth, coordinator of medConfidential, said: ‘Despite claiming a perfect record for security, we now find that patients’ hospital information has been breached multiple times – though officials have seen fit not to disclose the full details.’
However, an NHS England spokesperson clarified Mr Kelsey’s comments, saying: ‘What Tim meant by his comments was that he was not aware of any known breach of Hospital Episode Statistics (HES) data that had compromised patient privacy or led to any member of the public coming to harm.’
This article was ammended after the HSCIC corrected their response to explain that one of the four breaches was of anonymised data.