A flaw has allowed a GP to bypass system security and access patient records in NHS’s newly launched Choose and Book system without his security smart card or password.
The GP, based in Essex, bypassed the security system entirely, The Sun newspaper has reported. He was able to access sensitive medical records, including addresses, without using the special swipe card for authorised access.
A spokesperson at Connecting for Health, the NHS department that is running the programme, said the GP had been able to access the system without the card because of a “local hardware fault” with the smartcard reader.
But the spokesperson also blamed the GP for not following “recommended security practices”, and logging off after he last used the system. “If he had logged out of his computer, which is standard security practice, the GP would not have been able to return to Choose and Book without using both his smartcard and passcode.”
The situation was “being thoroughly investigated to ensure that this cannot happen again," he said.
The Choose and Book system is a major part of the £12.4 billion National Programme for IT, and allows patients to book appointments at a hospital of their choice across the country.
The launch of the latest version of the system was delayed by two weeks after a problem with the original system meant hundreds of patients received the wrong appointment details. The NHS said at the time that no patient data had been breached.
Meanwhile, the British Medical Association last week called for a haltto the rollout of the Summary Care Records beyond initial pilot sites, until the NHS made changes advised in a key report by University college London.
The report quoted doctors as saying the SCR system, which contains information including patients’ details, prescriptions and allergies, was "clunky" and "interfaces poorly with other ICT systems". It also questioned automatic opt-in from patients, after a GPs in early adopter sites had said a number of patients did not understand the system.
The NHS said patient records had not been compromised, and that the GP reported the fault immediately.