Loss of 1.3 million medical files in the US - implications for the NHS National Programme for IT

A medical organisation cited by the Department of Health as a reference site for the NHS Care Records Service has been criticised by a US regulator after 1.3 million sensitive files went missing.


Last year the Department of Health announced that Lord Warner, then a minister responsible for the NHS’s £12.4bn National Programme for IT [NPfIT], was setting up a taskforce which would:

“draw on the work in this area done by the Veterans’ Association in the United States which has had for some time a fully operational electronic patient record that benefits patients, doctors and medical education and is fully supported by the people in the medical profession who are involved in it”.

But on 22 January 2007 there was a serious security breach of the US systems that were praised by Lord Warner – systems that support the healthcare given to four million war veterans. A hard drive disappeared and has not been recovered. It contained the medical details of 250,000 veterans and more than one million other healthcare specialists. Much of the sensitive information was not encrypted. Nor was it protected by passwords.

It was the second large-scale data loss at the Department of Veterans Affairs in less than a year.

The Department of Veterans Affairs supports the care of up to four million war veterans and operates across more than 160 hospitals, 800 clinics and 135 nursing homes.

Its security lapse reinforces the trusim that an organisation’s security controls are only effective if people adhere to them and they are properly policed.

The Department of Veterans Affairs had a security policy that banned employees from storing sensitive data on portable devices without encryption. And the policy gave local supervisors the task of protecting sensitive information from unauthorised disclosure.

But when a medical centre for veterans at Birmingham, Alabama, was close to its capacity for storing data and it bought some external hard disc drives to provide extra storage space, a local director did not request encryption software to protect the data held on them.

Instead the director instituted what the US Inspector General said was a less reliable method of`security: relying on employees not to remove external hard drives from the office. The director also expected staff, when not using the drives, to store them in a locked safe.

But these measures were “not adequately monitored by managers to ensure employee compliance”, said a report of the Inspector General. The report added:

“In fact, several employees elected not to store their external hard drives in the safe, and at least one employee took home an external hard drive that contained privacy-protected information concerning Veterans’ Affairs employees.

“Also, there were no records of when the safe was accessed or whether its contents were inventoried and accounted for; access to the safe was not adequately limited; and once an employee opened the safe, that employee had access to all other employees’ external hard drives.”

There’s a further story of the data loss is elsewhere on this blog.

The implications for the NHS?

Whitehall officials strongly defend the security of the large centralised database that is being built as part of the Care Records Service of the National Programme for IT [NPfIT]. NHS Connecting for Health, which runs a major part of the NPfIT, points out that nobody can access it without leaving a trace in the audit trail. But who is going to police the audit trail in a busy NHS. And what if nobody polices it even if they’re supposed to?

Perhaps disciplinary action can be taken against misuses of the database, but by then it may be too late to protect the confidentiality of personal data. If the security at a local GP practice is breached, it will not affect huge numbers of files. But a national database will contain millions of records.

This is one of the lessons of the lapse of security at the Department of Veterans Affairs. It is one of the few healthcare organisations in the world that has very large centralised and regional databases of medical records. So an apparent minor lapse of security can have major implications.

The disappearance of one external hard drive – the sort one can buy in PC World for about £100 – contained 1.3 million sensitive medical records.

In England a loss on this scale could not happen with a breach of security at a GP practice. But the NPfIT’s Care Records Service is due to store 50 million patient records.

The Department of Veterans Affairs had a general policy of ecrypting patient data so that if it were to go missing it could not easily be read. But the controls were not applied properly.

Could the same happen in England?

a) In the NHS, password sharing is endemic and doctors do not always have the time to log on and off computers to protect the integrity of the system.

b) If national systems are made too secure doctors and nurses will not use them.

c) It’s unclear whether the Department of Health will provide enough funds to ensure that money and staff are available to police rigorously the audit trails of the Care Records Service, if a such a national system works.

Perhaps these matters should have discussed openly and honestly before the NPfIT was announced in early 2002.

Computer Weekly asked the Department of Health about the loss of the records at the Department of Veterans Affairs. We also asked the Department of Health about its announcement in 2006 that praised the work in the US on a database of medical records for veterans.

A Department of Health spokesperson said:

“When we set up the Electronic Patient Record System, the ministerial task force drew on the work already done in this area by the Veterans’ Administration in the US, in order to learn more about the strengths and weaknesses of the system.

“In its report on the National Programme for IT last year, the National Audit Office said NHS Connecting for Health has adopted the highest security standards for access to patient information.

“The access controls within the NHS Care Records Service offer sophisticated tools to support organisations’ information sharing policies and will operate alongside underpinning controls such as professional codes of conduct, the NHS Code of Confidentiality and local business processes and codes of conduct.”


Department of Veterans Affairs, Office of Inspector General, Administrative Investigation, Loss of VA Information VA Medical Center, Birmingham, Alabama

1.8 million more people affected by latest Veterans Affairs data loss

May 2006: Millions of health files go missing at Department of Veterans Affairs

Internal report cites ‘indifference’ of security officers

Veterans Affairs patient record system wins innovation in government award

Department of Veterans Affairs

Veterans Health Information Systems and Technology Architecture

The medical records software used by the Department of Veterans Affairs

Report of the ministerial taskforce on the NHS Summary Care Records