Police investigate NHS smartcard security breach as SCR launches in London

[Summary of article on ComputerWeekly.com homepage]:

An NHS trust at the forefront of work on the £12.7bn NHS IT scheme has called in police after a breach of smartcard security compromised the confidentiality of hundreds of electronic records.

Patients in Hull have expressed their dismay that an unauthorised NHS employee has accessed their confidential records; and the local primary care trust, NHS Hull, says it is “shocked” at the breach of security by a member of staff who has since left.

Details of the breach emerged as health officials in London were, in an unrelated event, telling journalists about the start of a roll-out of electronic records across London, as part of the National Programme for IT [NPfIT].

NHS Hull has refused to say which system the culprit was using but it was known that the employee used a smartcard to log in and gain access to the records. The person was authorised to view anonymised data but not identifiable information.

The employee has since left. NHS Hull is working with NHS Connecting for Healthon pseudonymising information for the Secondary Uses Service database.The trust has also installed the TPP SystmOne system to shareelectronic patient records. 

A spokeswoman for the trustdeclined to how an employee with a smartcard was able to accessinformation which was beyond the person’s level of authorisation.


NHS Hull announcement of security breach

13 November 2009

Unauthorised access to patient records in Hull

NHS Hull can confirm that a former employee has been found to have accessed a number of patient records without authorisation.

The former employee was found to have inappropriately accessed electronic medical records between May 2008 and June 2009.

The individual concerned was authorised to use collated and anonymisedpatient data during the course of their day-to-day work but was notpermitted to access individual patient records.

A total of 358 patients across 20 GP practices have been affected bythis. All patients involved have been notified in writing and given apoint of contact for more information and support. All of the affectedGP practices have also been informed.

Today, health managers have expressed just how appalled they are with their former employee’s actions.

Kath Tanfield, Director of Performance, Governance & Informatics for NHS Hull says:

“We take patient confidentiality very seriously and are disturbed tofind that patient confidentiality rules have been breached in such amanner.

“It is shocking to us that an individual who takes on a public servicerole and who agrees to abide by strict confidentiality agreementsshould go on to abuse their position and violate patients’ rights toprivacy.

“Patients and the public rightly expect all health service employees toprotect and respect their personal information. They have every rightto be outraged by this individual’s actions, and as the organisationwho employed this person, we too feel appalled and let down by theirbehaviour.”

NHS Hull has conducted its own review and is cooperating fully with the police investigation which is now underway.


Full article on CompterWeekly.com

Password sharing hinders probe into serious blunder – IT Projects blog

Are e-prescriptions more important than SCR? – IT Projects blog

Nothing like deadlines to make things happen – project management and recruitment

The problem with the NPfIT is the “NP” bit – the Yorkshire Ranter