Big Brother Watch calls for better NHS data security in light of losses

Big Brother Watch calls for better health data security after a study reveals NHS has suffered an average of six data breaches a day

Civil liberties pressure group Big Brother Watch has called for better health data security after a study revealed the NHS has suffered an average of six data breaches a day for the past three years.

The privacy campaign group is also calling for greater penalties for data breaches, including custodial sentences.

A research report based on freedom of information (FOI) requests reveals there were at least 7,255 breaches across the NHS between April 2011 and April 2014.

This is far higher than the 806 breaches found in a similar study from July 2008 to July 2011, indicating that the situation is getting worse instead of improving, the report said.

A recent Data Nation report from Deloitte showed 60% of respondents are most trusting of public healthcare providers, compared to 51% of other public sector organisations.

However, the latest Big Brother Watch research reveals examples of medical data being lost, shared on social media, and inappropriately shared with third parties.

The report notes that “information held about patients by health agencies is among the most personal and private information that it’s possible to record.”

For this reason, health care data is increasingly being targeted by cyber criminals, according to Carl Leonard, head of Websense Security Labs.

“Since the start of 2014, we have seen a 600% increase in attacks targeting health care data in the US because it is so valuable for enabling identity theft,” he told Computer Weekly.

The Big Brother report said that during the period under review there were at least 103 instances of data loss or theft and at least 124 instances of cases relating to IT systems.

Researchers found at least 236 instances of data being shared inappropriately via email, letter or fax, and data was inappropriately shared with a third party 251 times.

There were also at least 50 instances of data being posted on social media, at least 143 occasions where data had been accessed for “personal” reasons, and at least 115 instances of staff accessing their own records.

Topping the data breaches table is the South West Yorkshire Partnership NHS Foundation Trust with 869 breaches during the three years under review.

This is followed by the Taunton and Somerset NHS Foundation Trust (546), the Cambridge University Hospitals NHS Foundation Trust (534) and the Northamptonshire Healthcare NHS Healthcare Trust (346).

As well as considering the number of data breaches in the NHS, the report reflects on the legislation in place to address them.

It also highlights a number of flaws in the Data Protection Act 1998 that must be corrected.

One criticism of the act is that it does little to discourage those who are seriously considering breaking data protection legislation. 

The report proposes that:

  • A custodial sentence should be an available punishment for serious data breaches
  • Serious data breaches should result in a criminal record
  • Data protection training within the NHS should be improved

“The information held in medical records is of huge personal significance and for details to be wrongly disclosed, maliciously accessed or lost is completely unacceptable,” said Emma Carr, director of Big Brother Watch.

“With an increasing number of people having access to patients’ information, the threat of data breaches will only get worse.

“Urgent action is therefore needed to ensure medical records are kept safe and the worst data breaches are taken seriously,” she said.

Big Brother Watch said that, if the government wants to introduce new schemes to make the public’s data more accessible, this must go hand in hand with greater penalties for those who abuse that access, including jail time and a criminal record.

Opposition to the scheme is an example of repercussions of lack of trust with regards to health, the report said.

“The scheme’s rollout was delayed in February 2014 after those behind the database failed to properly communicate their intentions with the public.

“The importance of this can be seen in a recent report by the Joseph Rowntree Reform Trust, which indicated that 94% of those polled believed it was important or essential for the privacy of medical records to be maintained,” the report said.

Big Brother Watch said it is essential that the NHS is as transparent as possible and that failing or refusing to disclose incidents of data breaches is “simply unacceptable”.

The report said that, while healthcare benefits of schemes such as seem apparent the privacy concerns that are engendered by it are concerning.

“The NHS and those in charge of data sharing within it must show that they take the privacy of patients seriously before they can even begin to contemplate introducing a new scheme that would see medical records shared on an even wider scale than ever before,” the report said.

Read more on Privacy and data protection