Thousands of patient details lost

http://news.bbc.co.uk/go/rss/-/1/hi/england/london/8071601.stm

Version 0 of 1.

Elaine Okyere BBC News, London NHS London has published details of data losses from 2008 until 2009

Thousands of patient details have been lost by the NHS in London following a series of data breaches, a report has revealed.

NHS London revealed that between April 2008 until April 2009 there were 76 "serious untoward incidents", which involved personal information of patients and staff being lost or stolen.

At least 37,872 patient details have been lost, stolen, misplaced or "inappropriately released" by Primary Care Trusts (PCT), GPs and acute trusts in the capital, the report showed.

In one incident computers containing the names, addresses and medical diagnoses of 2,500 patients were left next to a skip in St Pancras Hospital, in north-west London.

The computers, which were not encrypted, went missing and have never been recovered.

Identifiable information

Camden PCT has been issued with an enforcement notice and threatened with legal action by the Information Commissioner's Office (ICO) unless it improves how they protect patients' data.

After the data loss, Camden PCT said it had reviewed its data protection procedures.

In 44 of the incidents reported to NHS London, the amount of data lost was not known, but the majority contained "patient identifiable information".

This information could include anything from a patient's name, date of birth, address or information about a patient's condition.

The North West London Hospitals NHS Trust also had to sign an agreement with the ICO to improve data security after a desktop computer containing 180 patients' details, including their name, date of birth and clinical information, was stolen from Northwick Park Hospital, in Harrow, north London, in May 2008.

Michael Summers, from the Patients' Association, said NHS data is at risk

In another incident, a memory stick with the names and dates of birth of 2,450 patients was misplaced by staff at Greenwich Teaching PCT, in south-east London, in January.

North West London Hospitals NHS Trust said following the thefts, all laptops and PCs in the trust were data encrypted and staff had received further training.

Greenwich PCT said the trust "already explicitly prohibited staff from bringing in and using their own memory sticks" and those breaching the rules had been disciplined.

The report, which was published on NHS London's website, also revealed that a folder containing contact details and care packages for children was left on a wall by staff from an unidentified PCT.

The document also lists incidents where patient information was mistakenly sent by fax to a public library and of 4,000 prescription forms failing to arrive at their destination after being sent through the mail.

NHS London is responsible for 31 PCTs, 24 acute trusts, three mental health trusts and the London Ambulance Service.

Any private information that is imparted on their GP, such as whether as a young girl they had an abortion, these are types of things they do not want known Michael Summers, Patients' Association

An NHS London spokesman said the strategic health authority was taking measures to improve data protection.

He said: "We have improved the way that incidents are reported and are working with all London trusts and PCTs to protect confidential data.

"This includes better training of staff and regular assessment by the Strategic Health Authority to ensure that all have stringent controls in place to secure the flow of information. We are also introducing new physical controls requiring trusts to encrypt all laptops and USB sticks.

"The NHS in London is committed to keeping patient data safe and we continue to work with our trusts to monitor their performance, identify any weaknesses and strengthen controls to protect patient data."

'Blackmail risk'

However, some campaigners feel the NHS is not doing enough to ensure sensitive patient details do not get into the wrong hands.

Michael Summers, vice-chair of the Patients' Association, believes the NHS needs to be held accountable for data breaches.

He said: "Patients lose confidence with the NHS. Now we are in the technological age, data of this kind has to be secured. There is a risk the information will get into the wrong hands.

"When data is lost or stolen, patients are open to all sorts of risks like blackmail," Mr Summers said.

"Any private information that is imparted on their GP, such as whether as a young girl they had an abortion, these are types of things they do not want known.

"They do not expect anyone else to have access to this."

A Department of Health spokesman said the NHS locally was "legally responsible" for following data protection rules.

He added the chief executive of the NHS had written to senior health managers "reminding them of their responsibilities".