Fears over privacy after personal details shared with strangers

The private data of thousands of NHS patients has been wrongly shared with strangers, including a case where a person’s HIV status was released, The Independent has learned.

In one example, strangers turned up at a woman’s door to let her know her private details, including her home address, had been mistakenly sent to other patients.

In some cases the NHS has had to pay thousands of pounds in compensation because of the errors, which, having come to light, will shake confidence in the health system’s ability to handle patient data responsibly.

The latest statistics from the Information Commissioner’s Office (ICO) show that 3,557 personal data breaches were reported across the health sector, the majority within the NHS, in the two years to 31 March this year.

Not all data breaches have to be reported, so the total is likely to be much higher.

Meanwhile, the government has been forced to put on hold a major plan to share the health records of 55 million patients, which would see data from GP surgeries collected in a single database and made available to private organisations for health and research work.

Shadow health minister Alex Norris said: “Properly utilising NHS data can improve healthcare and will benefit patients, but without proper safeguards patients can also be harmed. These breaches are concerning, and show exactly why it was so important to delay the GP DPR (General Practice Data for Planning and Research) process instead of rushing it through.

“The government and NHS Digital must now use this extra time wisely to consult with the public and act upon what they learn. The public need to be confident when their data is shared that they understand the process and who can access it; that their data is well safeguarded; and that no sensitive data is taken and shared irreversibly with organisations that have no business having it.”

Between April 2019 and March 2021 there were 866 instances in which personal data was emailed or physically posted to the wrong person. Other errors included losing paperwork or devices such as laptops. On other occasions, staff verbally revealed incorrect information, and in 12 cases data had been deliberately altered without consent.

According to the ICO, there were more data breaches across the health sector during 2019-20 than in any of the other public, private and charitable sectors it examined. The breaches included 456 instances in which patient data was sent to the wrong recipient, and a further 225 cases in which private information was either stolen, lost, or left in an insecure location.

In September 2019, the ICO launched an investigation into a major data breach at Wrightington, Wigan and Leigh NHS Foundation Trust in the northwest, after more than 2,000 patients’ data was wrongly accessed.

Multiple staff at the trust were alleged to have accessed patient records without proper authorisation.

One patient, represented by data rights law firm JMW Solicitors, received £3,000 in damages.

Another patient received £2,000 in compensation after their discharge paperwork – including details of their condition, treatment and medication – was inadvertently stapled to papers sent to someone else.

Other cases involved a woman’s confidential medical information being disclosed by a GP practice, without her consent, to her former partner, after he requested copies of their child’s health records.

Another complaint against a GP practice saw a patient receive £10,000 in compensation after the accidental disclosure of medical details, including their HIV status.

Associate solicitor Laura Wilkinson said the firm had seen a three-fold increase in health-related data breaches in the last year, and was dealing with at least one new case every week.

“These are mistakes which often have devastating consequences for those affected. Anyone attending a doctor’s surgery, hospital or clinic takes for granted that this incredibly sensitive information about them will be properly looked after.

“Since the introduction of the General Data Protection Regulation (GDPR) in 2018, every organisation in the public, private and charitable sectors has been reminded of its responsibilities in terms of processing such personal data.

“Yet the ICO statistics make clear that many relatively straightforward breaches involving patient data are still happening on a daily basis.”

Under the terms of GDPR, organisations handling personal data are required to protect it against “unauthorised or unlawful processing and against accidental loss, destruction or damage”. Failure to do so can result in large fines and even criminal prosecution.

Phil Booth, from MedConfidential, an organisation that campaigns for better confidentiality and security for patient data, told The Independent the statistics were not surprising.

“The NHS is always going to stand out. If you want to have more secure transfer of medical data, rather than concentrate on trying to grab all the data for all these uses, the government should do what we’ve been saying for decades, and ensure that the data flows digitally along the care pathways, secure from endpoint to endpoint.”

He said systems should have audit trails to track who has accessed patient data, and that a version of this should be made available to patients so that they can see who is looking at their information.

“The major risk of the GP data programme is that it crashes trust,” he said, adding that the 3,500 breaches represent a drop in the ocean.

“When you take the whole lot and start selling it to people – that’s what undermines trust.”

Mr Booth said that existing secure research systems, where organisations access data to use for research but are unable to copy it, constitute a better approach than handing over data.

The plan to share millions of GP records with private organisations and researchers sparked an outcry when it emerged earlier this year.

The GP DPR project, led by NHS Digital, includes plans to share details about patients themselves, their conditions, medications and any treatments, as well as data on their sex and ethnicity.

Urging the government to halt the rollout altogether, Labour said that the plans were “deeply concerning”. The BMA said the government’s explanation for the plan was “completely inadequate, causing confusion for patients and GPs alike”.

It has now been paused until September, but already some GPs have said they will opt out all their patients. NHS Digital said data would not be used for commercial purposes, while researchers have said access to population healthcare data could help revolutionise research and improve care.

A DHSC spokesperson said: “Data security is the responsibility of each individual local NHS organisation which all have robust processes in place so breaches do not happen. The NHS regularly shares national guidance and resources with local organisations, including GP practices and hospitals, to ensure information is kept safe and secure.

“The GP Data for Planning and Research programme will help the NHS unlock the benefits of data to help save lives. It will use a trusted research environment to protect the data, which means the data will only be accessed through a secure environment, by approved researchers, for specific projects. Individual data will never be visible to researchers.”


Written by Shaun Lintern – Health Correspondent, Independent