Carl Court/Getty Images
show image

NHS data breach: tech supplier blamed for disclosure of 150,000 patients’ medical records

The NHS has accidentally disclosed 150,000 patients’ confidential medical records to external researchers and clinical auditors, the government revealed last night.

Junior health minister Jackie Doyle-Price admitted that a coding error meant requests to opt out of the data-sharing initiative were ignored by the health service for several years. The fault has been blamed on a coding error made by TPP, a tech supplier that manages patient data on behalf of GP practices around the country.

A spokesperson for NHS Digital told NS Tech it was not yet clear how many external organisations have received the data, but that any recipients would have signed an official data sharing agreement.

Organisations are entitled to apply for access to NHS data for research projects. The most recent publication of data access requests shows that thousands were made by dozens of public and private sector organisations in the first quarter of 2018 alone. The vast majority of data shared with private sector companies is anonymised, according to the document.

“We worked swiftly to put this right and the problem has been resolved for any future data disseminations,” said NHS Digital’s Nic Fox. “This issue would not be able to occur using the new National Data Opt-Out, which has been recently introduced and puts the individual in direct control of their data sharing preferences.”

“TPP and NHS Digital have worked together to resolve this problem swiftly,” added TPP’s clinical director Dr John Parry. “The privacy of patient data is a key priority for TPP, and we continually make improvements to our system to ensure that patients have optimum control over information. In light of this, TPP apologises unreservedly for its role in this issue.”

Forcepoint’s Mike Smart said the breach illustrated the dangers of relying too heavily on software. “It appears the underlying program left patient data exposed, even though each party involved in handling the data was aware of the privacy policy settings.

“It’s a clear indicator that relying too heavily on software will cause these mistakes to happen in the future. We can’t afford to leave out the human element when deciding how we protect sensitive data, and must involve creative and lateral thinking in the testing and final checking stage before software goes live.”