04.07.18
Major NHS breach means 150,000 patients had confidential data used without consent
Just one month after the roll-out of GDPR, it has been revealed that a staggering 150,000 patients have been affected by an NHS data breach where confidential information only requested to be used to provide them with care was also exploited for clinical audit and research purposes without their consent or knowledge.
The mistake is said to have been linked to a coding error in the software used by GPs to record objections to patient data being used for research purposes, which meant the application never passed on the request to NHS England’s IT provider.
Software developer TPP “apologised unreservedly” for the blunder.
In a written statement, health minister Jackie Doyle-Price said the 150,000 Type 2 objections set between March 2015 and June this year in GP practices running TPP’s system were not sent to NHS Digital. As a result, the objections were not upheld in NHS Digital’s data disseminations up until 26 June.
“This means that data for these patients has been used in clinical audit and research that helps drive improvements in outcomes for patients,” she explained.
Type 2 objections are when patients do not wish for NHS Digital to share their information for any purpose other than their individual care.
TPP apologised for its role in the data breach and is working with NHS Digital to fix the error. All GP practices using the software have been contacted to make sure they are aware of the issue, and the patients affected will receive a letter from NHS Digital.
“There is not, and has never been, any risk to patient care as a result of this error,” Doyle-Price argued. “NHS Digital has made the Information Commissioner’s Office (ICO) and the National Data Guardian for Health and Care aware.”
The introduction of the new national data opt-out, which will replace Type 2 objections, will simplify the process of objecting to sharing data beyond the use of patient care because patients will have direct control over their own preferences, rather than having to use GP systems. This will “prevent a repeat of this kind of GP systems failure in the future,” Doyle-Price added.
She concluded: “The government has the highest regard for data standards and is committed to ensuring patients can express a preference over how health data is shared for purposes beyond their own care.”
An ICO spokeswoman told the BBC: “We are aware of an incident involving NHS Digital and are making inquiries.”
Enjoying NHE? Subscribe here to receive our weekly news updates or click here to receive a copy of the magazine!