Data despatched to NHS, research and private organisations was made vulnerable by inadequate NHS Digital procedures.
Around two-thirds of the data releases from the company between April and August this year included inappropriate information about patients.
1.2 million individuals who have asked for their records not to be shared, other than in circumstances related to direct care, were affected by this issue.
The data was despatched to NHS, research and private organisations.
A public debate is now brewing on whether or not opt outs should apply to these releases.
NHS Digital has argued that it has acted illegally at all times, regardless of respecting the actual wishes of patients.
The organisation believes that it has actually behaved in the best interests of patients, and a spokeswoman for the organisation has argued that there is minimal risk of confidentiality issues from the released data.
Furthermore, NHS Digital has stated that it has ensured that the data has been made anonymous, in accordance with the Information Commissioner’s Office’s code of practice
But the privacy rights campaign group, MedConfidential, suggested that the reports indicated that privacy is not being taken seriously enough, and that “opt outs are not being respected. This goes directly against what patients think is happening when they opt out of their data being shared for reasons beyond direct care”.
The group argues that standards of anonymisation have not been met by NHS Digital.
Commenting further on the issue, coordinator Phil Booth reassured those concerned about the reports that full datasets would eventually be made available to researchers.
“There are perfectly good reasons why some researchers may sometimes require an entire data set, including those who have opted out. Researchers who have a legitimate reason to obtain the full data set can do this by getting permission from the confidential advisory group.”
Releases to private firms have been considered particularly worrying, with around 200 of the releases made without opt-outs being actioned having involved private firms such as Capita.
Booth concluded that the issue will be considered extremely serious by health service observers.
“After the Care.data debacle, this will only make people further question whether or not the NHS can be trusted with patients’ confidential and sensitive data.”
Responding to the report, an NHS Digital spokeswoman stated that nothing underhand nor concerning had occurred.
“Our public register details all data releases shared under agreement with organisations, the vast majority of whom are NHS, university or charity bodies. The register includes a very significant number of releases that are anonymised in line with the ICO code of practice, which means the type two opt out is not required given the data is not confidential patient information.”
The spokeswoman further underlined future initiatives related to this issue.
“We are absolutely committed to upholding patient opt-outs and continue to do so in line with legislation and working closely with bodies like the ICO and the [national data guardian]. We are also committed to making details of what we do public, which is why we added the application of opt outs to the register.”
Granting local pharmacists access to summary information from GP patient cuts administration time in dealing with pharmacists by as much as 80% in some cases, according to NHS Digital.
One pharmacist cut down on calls to their local GP practice from 200 to just 30 a month after being given access to the practice’s summary care records (SCRs), according to Harpreet Shergill.
Shergill is NHS Digital’s lead for rolling the scheme out across community pharmacy.
With some practices having up to five pharmacies working with them, this has the potential to drastically cut down on GP workloads once the technology beds down, he said.
Shergill, who works as a pharmacist as well, stated that the new policy represents the “biggest single change in pharmacy in the last 10 years”.
And early data indicates that some pharmacies access the system as many as 70 times a week.
Shergill spoke at a King’s Fund event on emerging models in primary care, and suggested that “having access to this information empowers me as a pharmacist to provide care back to patients”.
Recent reports have suggested that many pharmacies face closure following new government regulations.
But the government has indicated its belief that there are two many pharmacies operating in Britain.
Clearly this is a critical time for this valuable part of the healthcare system.
Meanwhile, the new initiative will ensure that pharmacies are not reliant on practices being open to deal with certain enquiries.
This will enable allowing issues to be addressed in the evening and on Sundays.
A smart card system has been put in place for system access.
Around 41% of pharmacies are enabled to use SCRs so far.
And all pharmacies should be live on the system by the end of March 2017.
And Shergill was enthusiastic about the potential of the system.
“Having access to this technology and this subset of the GP patient record allows me to contribute directly to patient care and support primary care in the provision of that care. Historically, by not having access to the SCR, that would have necessitated a phone call to the practice, a conversation with the receptionist – or even with the GP. Access to the information can quickly cut through all that and give clarity to patient.”
The pharmacist outlined the impact that this SCR system has already achieved.
“We used to ring our local GP practice probably 200 times a month with all these queries around patients, prescriptions and medication. After the SCR was introduced and we got used to the technology, that call volume fell to 30 calls per month. That’s an 80% reduction in calls going in to that GP practice. So, if I’m a GP practice – and I had five pharmacies surrounding me locally – then how many calls are coming into my practice? How much time is being taken up by reception having to filter those calls, then deciding what needs to happen.”
And Shergill believes that there are other advantages of SCR as well.
“The second benefit is because we’re solving this in-pharmacy, there’s a reduction in unplanned patient visits and footfall into GP practices.”
A serious incident report from the Care Quality Commission has revealed that the NHS regulator has lost 500 files relating to GPs and practice managers.
The incident occurred as part of a process of checks being conducted in order for the individuals involved to become the CQC registered provider of their particular practice.
Unfortunately, the Care Quality Commission has conceded that it has lost a significant amount of personal information.
The information misplaced is part of ‘disclosure and barring service’ files, previously referred to, and more commonly known as, criminal records bureau checks.
This data includes information from the primary medical services, according to media reports.
The files contain personal data, but also mental health information.
With the Care Quality Commission having publicly acknowledge the data breach, the organisation has already written to individuals affected to apologise for the mistake.
There will be particular concerned about this error considering that the regulator has recently announced practices which will lead to strengthen inspections on the data security processes at the commission.
Many will believe that this review cannot come a moment too soon, as the NHS overhauls the way that it deals with sensitive information.
A statement on the CQC website acknowledges the problem, and outlines the extent of the issue.
“During a planned refurbishment of its office in Newcastle earlier this month, it appears that a locked filing cabinet containing up to 500 DBS certificates was wrongly marked for removal and destruction,” the Care Quality Commission concedes.
Although there will be considerable concern about the information getting into the wrong hands, the Care Quality Commission has stated that theft is an unlikely explanation for the issue.
CQC chief executive David Behan wrote to affected individuals earlier this week to notify them of the breach, and an independent review of the CQC’s security arrangements has been launched.
The report on the leak concludes that issues related to contractors can be blamed for the difficulties.
“The root cause of the loss of these documents was the last minute verbal changes to the requirements for the contractors made on 7 July, the lack of adherence to the documented plan and a misunderstanding between CQC staff and the primary contractor team. Should the information contained in the missing folders fall into unscrupulous hands then is has the potential to cause further harm and distress to the individual data subjects.”
The recent breach relates to applications between July 2015 and March 2016.
As figures indicate that healthcare is responsible for more data breaches than any other UK sector, can the NHS do more to secure the critical and sensitive information that it holds?
Not only is the NHS facing IT challenges, but the number of data breaches within the NHS is also increasingly rapidly.
There were 734 such instances in 2014, and year-on-year numbers doubled from April-June 2013 to the same quarter the following year.
And this is not a problem that is confined to the UK or the NHS.
In the United States, 91 per cent of healthcare organisations have suffered at least one data breach in the past two years, and 40 per cent have suffered more than five incidents.
This is nothing new, but the nature of these breaches is shifting.
In the past, such problems were typically associated with mistakes and negligence, but in the contemporary environment of a hostile Internet and reportedly profitable hacking, this is no longer the case.
Thus, criminal attacks on the healthcare sector have increased by 125 per cent since 2010.
And when hackers strike health systems, far more data is lost than when errors occur. For example, the recent attack on Excellus is believed to have involved up to 10 million individual records.
So the expectation placed on the NHS to protect data is increasing, and the sensitivity of the information that the NHS deals with cannot be understated.
At the same time, with the strain on NHS services being amplified by numerous factors, the budget for, and indeed focus on, IT security can fall by the wayside somewhat.
And the NHS does not have a fantastic track record with IT systems, with past projects often ending as expensive failures.
Nearly £6.5 million in fines have been levied for losses of sensitive personal information, the majority coming from public sector organisations.
The largest fine to date, £325,000, came against Brighton and Sussex University Hospitals NHS Trust in 2012.
In response to this, the Department of Health launched the Information Governance Toolkit; a response to the need for improved control of sensitive information within the NHS and government authorities.
Yet surveys in February and March 2015 found that fewer than 40 per cent of respondents felt the IGT met their needs.
Responding to this perception, NHS England has recently implemented a new technology solution to manage its information assets.
Live within three months, the Information Asset Manager (IAM) provides the management layer missing from the IG Toolkit, giving demonstrable control over information assets and data flows, and clearly identifying key risk areas.
It is believed that this will lead to a huge reduction in the administrative burden of Toolkit compliance; and minimisation of the risk of data losses – and costly fines – due to mismanagement and human error.
In the short-term, this may tip the balance back in favour of data privacy, but the NHS will unquestionably face many more challenges as this area of its operations evolves.
Considering the sensitivity of data protection and related topics in the existing client, a new survey provides a damning indictment of the pharmaceutical sector.
According to the Crown Records Management / Censuswide Survey, 60 per cent of pharmaceutical companies have lost important data, and nearly one-in-four have been successfully breached by hackers.
The survey which quizzed IT decision-makers at UK companies which boast more than 200 employees will of serious concern, particularly owing to how imperative privacy is in the healthcare sector.
Companies in a wide variety of industrial sectors have been subjected to cyber-attacks, with the Carphone Warehouse and Ashley Madison recently hitting the headlines.
The importance of keeping data safe under lock and key was succinctly underlined by the 2013 data breach at US retailer Target; considered to be the largest successful cyber-theft in history.
As a result of the breach, which saw American computer hacker Albert Gonzalez sentenced to 20 years in federal prison, Target ultimately reached a deal with Visa to pay its card issuers up to $67 million.
The Crown Records Management Survey discovered that data in the industry is not being inappropriately accessed on an occasional basis, but instead this undesirable state of affairs appears to be a regular occurrence.
12 per cent of companies in the pharma sector that responded to the survey conceded that they have lost data between seven and nine times, while 8 per cent admitted that data had been jettisoned inadvertently on at least 13 occasions.
Speaking on this issue, Ann Sellar, Business Development Manager at Crown Records Management, indicated her view that these figures should be considered extremely serious.
Sellar warned: “These survey results should be a wake-up call for UK businesses, and especially those in the pharmaceutical sector, because the importance of protecting customer data is higher than ever. Not only because of potential fines for data breaches (which will soon increase when the EU General Data Protection Regulation is ratified) but also because of growing public awareness.
“It takes on average 20 years to build a reputation but just five minutes to ruin it with a data breach and then up to two years to rebuild it. So businesses need to look at the way they protect their information, understand where the threats are and start putting robust processes in place to protect their customers. If they don’t I can only see the number of data breaches increasing in the next few years.”
Although hacking is clearly a major source of difficultly for companies, Sellar also emphasised that the majority of data loss occurs due to human error, and reiterated the importance of companies treating this issue with due seriousness and gravity.