NHS trusts lose nearly 10,000 patient records a year

The University Hospital Birmingham tops the list of NHS trusts that have lost patient records in the past year, with 3,179 records reported missing or stolen, according to research by think-tank Parliament Street.

Bolton NHS trust is in second place with 2,163 records misplaced, followed by University Hospital Bristol with 1,105 records lost.

The statistics are contained in the NHS data security: Protecting patient records report, which examines the number of patient records that have been misplaced from NHS trusts in the past year.

The report discovered that overall, 9,132 patient records from 68 hospitals had been reported missing or lost in the last financial year.

Royal Devon and Exeter NHS Foundation Trust, which uses only paper-based case notes, reported 425 documents lost or stolen, while the Wigan and Leigh NHS Foundation Trust reported 426 lost or stolen documents despite using an electronic database system.

The report found that 94% of NHS trusts still use handwritten notes for patient record-keeping, despite often having electronic record system software in place.

The information was gathered though the Freedom of Information Act (FOI) to request data on lost or stolen patient records and the use of handwritten notes.

Key recommendations from the report state that NHS trusts should work to abolish handwritten notes in hospitals to prevent loss of personal documents and to introduce a patient identity protocol so patients can have up-to-date information on their medical records.

Barry Scott, CTO for Europe at security firm Centrify, said the report underlines the need to improve security procedures around the management of health records in the NHS.

“With sales of health records on the dark web and identity fraud on the rise, the need to protect the privacy of patients while moving towards secure digital systems is both urgent and essential,” he said.

The health service remains a top target for cyber attackers, said Scott. “Whether their motive is to wreak havoc or steal identities, it is critical that every single patient record is treated as a high priority by health trusts,” he said.

“Achieving this means ensuring only accredited doctors, nurses and staff can access private information, and providing encryption and identity and access management [IAM] solutions to keep cyber criminals locked out.”