The cancer diagnosis letter found in a car park, voicemails to the wrong person and a gate-crashed consultation: Hospital data breaches up 20% in a year

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.pulsetoday.co.uk/your-practice/practice-topics/legal/the-cancer-diagnosis-letter-found-in-a-car-park-voicemails-to-the-wrong-person-and-a-gate-crashed-consultation-hospital-data-breaches-up-20-in-a-year/20003550.article#.UdwiQZdhlF8

Hospitals have seen the number of confidentiality breaches and losses
of patient data rise by a fifth over the past year, with thousands of
such incidents reported, a Pulse investigation reveals.

Figures obtained under the Freedom of Information Act from 55 hospital
trusts who were able to provide comparable year-on-year statistics
show that the number of data breaches rose from 2,337 in 2011/12 to
2,805 in 2012/13 - a 20% year-on-year increase.

Common examples included patients being given a different patient’s
details in error, patient information being given to a relative
without their permission, voicemails left to the wrong person, letters
left in public meeting rooms and letters sent to patients’ previous
GPs.

The investigation also found that there was a 15% increase in data and
confidentiality breaches between 2010/11 and 2011/12. In total, the 55
trusts recorded 7,138 incidents over the last three years, results the
GPC said could cause patients to ‘lose faith in the NHS’ and could
undermine public trust in the move towards a ‘paperless NHS’ by 2018.

Hospitals must report incidents such as communications being sent to
the wrong person, breaches of confidentiality, loss or theft of data
and unauthorised access to data. Those disclosed included:

- North Tees and Hartlepool NHS Foundation Trust recorded an incident
where the protected address of foster carers was disclosed to the
parents of a child.

- A person who was not a member of hospital staff managed to
infiltrate a patient consultation, in an incident recorded by
University Hospitals of Leicester NHS Trust.

- A member of the public who was attending an appointment at the The
Princess Alexandra Hospital NHS Trust found a letter in the grounds on
the hospital which was addressed to a patient regarding their clinical
diagnosis of cancer.

- Ashford & St Peter’s Hospitals NHS Foundation Trust recorded
incidents where patient information was found in public both on and
off site, and also found in private places on and off site, including
in another patient’s notes. Patient documentation was also sent to the
wrong patient and disclosed to inappropriate people.

- At Southend University Hospital a research fellow inadvertently left
a patient’s notes in the WHSmith shop in the main outpatients
reception. The pile of notes was handed in by the man at the till. The
notes contained ‘very personal and sensitive information about many
patients on each sheet, including the cover.’

- The same trust recorded an incident where a part set of patient
notes were found blocking a rainwater run-off drain.

- at the Royal Marsden NHS Foundation Trust hospital paperwork was
found in the car park

- Royal Brompton and Harefield NHS Foundation Trust recorded an
incident where a number of letters from a clinical psychologist were
being sent to a building shop instead of a GP surgery.

- pictures were taken and posted on Facebook in an incident recorded
by Barts Health NHS Trust. In another incident sensitive information
was inadvertently sent to a patient’s GP against the patient’s wishes.

Dr Chaand Nagpaul, joint chair of the GPC’s ICT subcommittee, called
on the Government to address the issue of breaches of confidentiality.

He said: ‘At a time when the Government is pushing ahead with
widespread data sharing, it’s vitally important the public have
confidence their data is secure, only accessed when relevant to their
care. This must be a priority.’

‘These sorts of statistics run the risk of patients losing faith in
the NHS holding their data. It’s important Government addresses this
so the public have confidence data is held securely and only accessed
appropriately.’

He added that the Government’s policy of making the NHS ‘paperless’ by
2018 should not trump concerns over information governance.

He said: ‘We need to make sure the systems are fit for purpose its
important policies do not run ahead of these basic rights. We need
much more robust systems to protect patient data before more data
sharing is introduced.’

Dr Nigel Watson, chief executive of Wessex LMCs, said the increase
could be due to trusts and patients recording incidents more readily.

He said: ‘I suspect some of the increase is an increase of reporting
breaches. Patients are more likely to come forward, and trusts more
likely to report breaches and data losses.’

‘The health service is a complex organisation that sees hundreds of
millions of patients, it’s surprising this sort of thing doesn’t
happen more often.’

He added: ‘Finding letters in the car park, that’s appalling. But I
would hope that we could get into real discussions about data sharing.
There’s a danger of locking everyone down. It’s like the arguments
about hospitals seeing GP records. We do need a system whereby we can
share data professionally and we have a good opportunity now to look
at our systems and make sure they are robust.’

A spokesperson for the Information Commissioner’s Office said: ‘The
health service holds some of the most sensitive information available.
This is why it is so important that they look after patients’ data
correctly and in compliance with the Data Protection Act.’

‘We will continue to work with the health service to help them keep
the personal information they use and store secure. However,
organisations that fail to comply with the act leave themselves open
to enforcement action from our office including, in the most serious
cases, monetary penalties of up to £500,000.’
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss-discuss

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.