An NHS trust at the forefront of work on the £12.7bn NHS IT scheme has called in police after a breach of smartcard security compromised the confidentiality of hundreds of electronic records.
Patients in Hull have expressed their dismay that an unauthorised NHS employee has accessed their confidential records; and the local primary care trust, NHS Hull, says it is "shocked" at the breach of security by a member of staff who has since left.
Details of the breach emerged as health officials in London were, in an unrelated event, telling journalists about the start of a roll-out of electronic records across London, as part of the National Programme for IT [NPfIT].
The roll-out is part of plans by the Department of Health to create for 50 million people in England an electronic "summary" medical record on a central database run by BT.
But doctors say that the breach of security at NHS Hull shows that an insider with a smartcard can access confidential electronic records without authorisation, if the person is determined to do so.
They say that this will deepen the scepticism of some doctors that centrally-held medical records will remain confidential under the NPfIT.
Before the advent of NPfIT central databases individual medical records were retained by GPs or by NHS trusts in specific areas.
GP Paul Cundy, a former spokesman on GP IT for the British Medical Association, said of the Hull incident: "This confidentiality breach, in one of Connecting for Health's showcase systems, highlights the inherent dangers of the Summary Care Record and all shared record systems. This is alarming news, but precisely what was predicted."
Kath Tanfield a director at NHS Hull who is in charge of IT, says: "It is shocking to us that an individual who takes on a public service role and who agrees to abide by strict confidentiality agreements should go on to abuse their position and violate patients' rights to privacy".
Hull has been working with NHS Connecting for Health and the NPfIT since 2004, in part on implementing a shared electronic health record.
NHS Hull has also also working with Connecting for Health on the pseudonymisation of the controversial Secondary Uses Service - in which identifiable health records are partially anonymised so they can used for research purposes by non medical staff.
Hundreds of millions of patient records have been uploaded to the Secondary Uses Service database.
NHS Hull, in a joint presentation with NHS CfH, has conceded in the past that the security of pseudonymised data represents a potential data problem.
In the security breach, an employee was authorised to use collated and anonymised patient data during the course of the person's day to day work, but was not authorised to access individual patient records.
After the person left, however, NHS Hull discovered that the person "inappropriately accessed identifiable medical records. The trust says: "A total of 358 patients [registered at] GP practices have been affected by this."
The trust has written to the patients whose records were looked at. It says it is cooperating fully with a police investigation which is now underway.