dp@pic - Fotolia

NHS data breach caused details of 150,000 patients to be shared

The NHS has inadvertently shared the confidential data of 150,000 patients over a three-year period due to a coding error in one of the most common GP IT systems

A data breach led to the NHS accidentally sharing the confidential health data of 150,000 patients. The breach was a result of a coding error in one of the most common IT systems used by GPs, TPP’s SystmOne.

The error meant that patients, who had opted out of having their information shared for purposes other than their direct care, did not have their objection sent to NHS Digital.

As a result, the 150,000 patients who had submitted type 2 objections between March 2015 and June 2018, when the fault was discovered, have accidentally had their data shared by NHS Digital for use in clinical audit research.

In a statement to members of Parliament (MPs), parliamentary undersecretary for health, Jackie Doyle-Price, said the error was “swiftly rectified” once it was discovered on 28 June. 

“NHS Digital will write to all TPP GP practices to make sure they are aware of the issue and can provide reassurance to any affected patients. NHS Digital will also write to every affected patient. Patients need to take no action and their objections are now being upheld,” she said. “There is not, and has never been, any risk to patient care as a result of this error.”

Following the discovery of the breach, NHS Digital has made the Information Commissioner’s Office (ICO) and the national data guardian for health and care, Fiona Caldicott, aware of the incident. The ICO is currently making inquiries into the breach.  

NHS Digital’s director of primary and social care technology, Nic Fox, said the problem was quickly rectified and has been “resolved for any future data disseminations”.

“We apologise unreservedly for this issue, which has been caused by a coding error by a GP system supplier [TPP] and means that some people’s data preferences have not been upheld when we have disseminated data. The TPP coding error meant that we did not receive these preferences and so have not been able to apply them to our data,” Fox said.

“We take seriously our responsibility to honour citizen’s wishes and we are doing everything we can to put this right.”

TPP and NHS Digital will now work to ensure testing and assurance of patient data extracts are “enhanced to ensure that errors of this nature do not occur again”. TPP clinical director John Parry said the privacy of patient data “is a key priority for TPP, and we continually make improvements to our system to ensure that patients have optimum control over information”.

In May 2018, NHS Digital launched a national data opt-out tool aiming to easily allow patients to opt out of having their information shared.  

The NHS has struggled with gaining the public’s trust when it comes to data, following the Care.data scandal, where the programme was being pushed through without explaining the implications for highly sensitive patient records, eventually leading to it being scrapped.  

The latest data breach is unlikely to increase trust, but NHS Digital’s Nic Fox said the issue would “not be able to occur” using the new tool.

Once a patient decides to opt out, all health and care organisations have to comply with the choices made by the patient until 2020.

Read more about NHS data sharing

Read more on Healthcare and NHS IT

Data Center
Data Management