[Summary of article on ComputerWeekly.com homepage]:
An NHS trust at the forefront of work on the £12.7bn NHS IT scheme has called in police after a breach of smartcard security compromised the confidentiality of hundreds of electronic records.
Patients in Hull have expressed their dismay that an unauthorised NHS employee has accessed their confidential records; and the local primary care trust, NHS Hull, says it is "shocked" at the breach of security by a member of staff who has since left.
Details of the breach emerged as health officials in London were, in an unrelated event, telling journalists about the start of a roll-out of electronic records across London, as part of the National Programme for IT [NPfIT].
NHS Hull has refused to say which system the culprit was using but it was known that the employee used a smartcard to log in and gain access to the records. The person was authorised to view anonymised data but not identifiable information.
The employee has since left. NHS Hull is working with NHS Connecting for Health on pseudonymising information for the Secondary Uses Service database. The trust has also installed the TPP SystmOne system to share electronic patient records.
A spokeswoman for the trust declined to how an employee with a smartcard was able to access information which was beyond the person's level of authorisation.
**
NHS Hull announcement of security breach
13 November 2009
Unauthorised access to patient records in Hull
NHS Hull can confirm that a former employee has been found to have accessed a number of patient records without authorisation.
The former employee was found to have inappropriately accessed electronic medical records between May 2008 and June 2009.
The individual concerned was authorised to use collated and anonymised patient data during the course of their day-to-day work but was not permitted to access individual patient records.
A total of 358 patients across 20 GP practices have been affected by this. All patients involved have been notified in writing and given a point of contact for more information and support. All of the affected GP practices have also been informed.
Today, health managers have expressed just how appalled they are with their former employee's actions.
Kath Tanfield, Director of Performance, Governance & Informatics for NHS Hull says:
"We take patient confidentiality very seriously and are disturbed to find that patient confidentiality rules have been breached in such a manner.
"It is shocking to us that an individual who takes on a public service role and who agrees to abide by strict confidentiality agreements should go on to abuse their position and violate patients' rights to privacy.
"Patients and the public rightly expect all health service employees to protect and respect their personal information. They have every right to be outraged by this individual's actions, and as the organisation who employed this person, we too feel appalled and let down by their behaviour."
NHS Hull has conducted its own review and is cooperating fully with the police investigation which is now underway.
Links:
Full article on CompterWeekly.com
Password sharing hinders probe into serious blunder - IT Projects blog
Are e-prescriptions more important than SCR? - IT Projects blog
Nothing like deadlines to make things happen - project management and recruitment
The problem with the NPfIT is the "NP" bit - the Yorkshire Ranter
