The NHS has suffered more than 7,000 data breaches in the last three years, a rising volume of incidents that will only be tackled when prison sentences are handed down for serious offences, a study by campaign group Big Brother Watch (BBW) has argued.
After analysing Freedom of Information (FoI) requests sent to health trusts and authorities (including Scotland and Northern Ireland), a 92 percent response rate uncovered a total of 7,255 incidents that breached the Data Protection Act (DPA) severely enough for staff to be disciplined.
This was equivalent to an average of 2,481 breaches per year, or six every day, a dramatic rise compared to the three years prior to 2011 when a similar BBW study recorded only 806 incidents.
Breaking these numbers down by cause, 103 related to data theft or loss, 236 where data was inappropriately shared by letter or email, 251 with an unauthorised third party, and 124 were caused by an issue with IT systems.
In fifty cases, data was shared on social media, on 143 occasions data was accessed for ‘personal reasons’, and on 115 occasions staff were found to have accessed their own records.
This resulted in 32 staff resigning during disciplinary proceedings including 1 pending court case for a DPA breach, BBA reported.
The organisation also lists the ten worst offending Trusts, starting with South West Yorkshire Partnership NHS Foundation Trust (869 breaches), Taunton and Somerset NHS Foundation Trust (546), Cambridge University Hospitals NHS Foundation Trust (534), Northamptonshire Healthcare NHS Trust (346), and Bradford District Care (280). Mental health establishments seem to be a particular weak point.
The number of breaches underlined the difficulties faced by the care.data scheme, a programme designed to share patient health information across England, which many NHS users now had concerns about, BBW said.
“The information held in medical records is of huge personal significance and for details to be wrongly disclosed, maliciously accessed or lost is completely unacceptable,” said BBW’s director, Emma Carr.
“With an increasing number of people having access to patients’ information, the threat of data breaches will only get worse. Urgent action is therefore needed to ensure that medical records are kept safe and the worst data breaches are taken seriously.”
The failings underlined the limitations of the Data Protection Act, soon to be superseded in some of its provisions by the forthcoming EU General Data Protection regulation (GDPR) sometime after 2015.
Sanctions should also be tougher, with courts able to hand down prison sentences where necessary with serious offenders being given criminal records to avoid repeat incidents, she said.
However not all the abuse was deliberate and poor training was a root cause in some incidents.
“If the government wants to make the public’s data more accessible, then this must go hand in hand with greater penalties for those who abuse that access. This should include the threat of jail time and a criminal record,” said Carr.
The full report makes fascinating reading as a real-world take on data breaches, itemising every single breach that was reported as part of its research.
Incidents included a probation officer who gave the personal details of a domestic abuse victim to her abuser and was fined only £150 for the offence, and the NHS surrey computer that was bought at auction containing the records of 3,000 patients, resulting in a £200,000 ICO fine.
“Whilst fines may, at first, appear to be a sensible response, they quickly lose their impact on closer inspection,” said the report in a possibly unintentional swipe at the ICO’s impotent regime.
The BBW is correct to question the effectiveness of fines. The bigger sanction for private firms is simply embarrassment and loss of reputation. In many cases inside the NHS and public sector this rule is blunted by the fact that few members of the public ever find out about incidents.