Your medical records, lost and sold

The NHS lost track of 1.8million confidential patient records in a single year, the Daily Mail can reveal.

In worrying lapses in data security, sensitive paper records have been dumped in public bins and electronic records found for sale on an internet auction site.

The worst cases include details of terminally ill patients being faxed to the wrong number, and patient records being stolen and posted on to the internet.

The total is the equivalent of nearly 5,000 records going missing every day. But the real figure is likely to be much higher because in some incidents it was not known exactly how many records were lost.

In addition, at present the data protection watchdog relies on hospitals declaring when data has gone missing.

Such is the scale of the problem that the watchdog, the Information Commissioner’s Office, is asking for powers to conduct compulsory audits on hospitals and NHS trusts.

The Information Commissioner, Christopher Graham, has levied fines totalling nearly £1million on NHS bodies in the last six months.

And last night his office warned that more would follow if data protection rules continue to be breached.

The figures were compiled from reports of Data Protection Act breaches filed by the Information Commissioner’s Office in the 12 months from July 2011 in England, Wales and Northern Ireland.

Over the year a total of 1,779,597 records were reported lost in 16 major incidents involving NHS bodies.

In May this year, Brighton and Sussex University Hospitals NHS Foundation was fined £325,000 after an incident involving more than 69,000 patient records found on hard disk drives offered for sale on an internet auction site.

The drives contained an easily readable database with the names, dates of births, occupations, sexual preferences, sexually transmitted disease test results and diagnoses for more than 67,000 patients.

Another database contained the names and dates of birth of more than 1,500 HIV positive patients.

It later emerged that 232 hard drives that should have been destroyed had been sold on the auction site.

They also contained highly sensitive personal data of tens of thousands more patients and staff including test results, medical conditions and children’s reports. Belfast Health and Social Care Trust was fined £225,000 in June after 100,000 confidential paper records were dumped at a disused hospital site.

Trespassers gained access to the site and copies of records — which dated from the 1950s — were posted on the internet.

Central London Community Healthcare NHS Trust was fined £90,000 in April for faxing 59 patient records containing ‘confidential and sensitive’ data to the wrong number so they ended up with a member of the public.

The records belonged to terminally ill patients receiving palliative care and included medical diagnoses, information about patients’ home lives and their resuscitation instructions.

In October last year University Hospital, Coventry was warned after 19 patient records were found dumped in a bin.

A midwife in Poole was warned after her car was broken into and thieves stole patient diaries which contained sensitive personal data about 240 pregnant women in her care.

Hospitals have also been found sending mental health patient records to the wrong patient because he had a similar name.

The worst breach involved a CD containing 1.6million patient records, including personal details, belonging to Eastern and Coastal Kent PCT. The CD was lost when a filing cabinet went missing during an office move.

The trust was not fined, but signed an undertaking with the ICO not to repeat the error.

Other cases around the country have involved unsecured laptops stolen from the home of a staff member.

Nick Pickles, director of privacy campaign group Big Brother Watch, said: ‘These figures may be shocking, but they will come as no surprise to anyone familiar with the NHS’s track record for dealing with patient data.

‘Across the NHS there are some excellent organisations who are addressing this problem well but some of the poor performers are terrifying.

‘There is a real risk that if the NHS doesn’t sort out how it looks after patients’ details people will stop sharing information with their doctor and that could be extremely dangerous for care.’

The Information Commissioner’s Office said: ‘The Health Service holds some of the most sensitive personal information available, so it’s vitally important that patients’ information is being kept secure.’