Hundreds of records breached in Hull

Tags: DPA GP Security

16 Nov 2009

More than 350 patients in Hull have had their electronic medical records accessed by a member of NHS Hull's staff who should not have had access to them.

A primary care trust employee, who was authorised to use collated and anonymous patient data for research, but not permitted to access individual patient records, accessed a total of 358 across 20 GP practices.

A statement from the PCT says: “NHS Hull can confirm that a former employee has been found to have accessed a number of patient records without authorisation.

“The former employee was found to have inappropriately accessed electronic medical records between May 2008 and June 2009.”

The PCT says that all patients involved have been notified in writing and given a point of contact for more information and support. It also says it is “appalled” by the former employee’s actions.

Kath Tanfield, director of performance, governance and informatics for NHS Hull, said: “We take patient confidentiality very seriously and are disturbed to find that patient confidentiality rules have been breached in such a manner.

“It is shocking to us that an individual who take on a public service role and who agrees to abide by strict agreements should go on to abuse their position and violate patients’ rights and privacy.”

The trust would not reveal what system the member of staff was using when they accessed the records but said that the employee used a Smartcard to access the records.

Tanfield added: “Patients and the public rightly expect all health service employees protect and respect their personal information.

"They have every right to be outraged by this individual’s actions, and as the organisation who employed this person, we tool feel appalled and let down their behaviour.”

A police investigation is now underway and NHS Hull is also conducting its own review.

Sarah Bruce

Reader's Comments

why should we be shocked??

16 Nov 09 14:11

Whilst any decent person can understand the shock expressed by the director at NHS Hull.

[Kath Tanfield, director of performance, governance and informatics for NHS Hull, said: “We take patient confidentiality very seriously and are disturbed to find that patient confidentiality rules have been breached in such a manner.

>> It is naive to think this won't occur and there have been dozens of cases where public service employees have misused the information that has been at their disposal.

We would do well to look at the experience of other organisations

see -- Police 'misusing national computer' http://news.zdnet.co.uk/itmanagement/0,1000000308,39160706,00.htm

in this story the (then) deputy chair of the police complaints authority John Wadham said that the failure to retain and pass on data is a "misconduct" issue for police, as much as the misuse of PNC data which has been a "consistent problem" over the last 20 years.

disappointing, appalling - yes but not unsurprising

We need a faster way of detecting inappropriate access

17 Nov 09 21:11

I wonder if the ex member of staff is an ex member of staff as a direct result of this incident? If so then this fact should be publicised to "encourage the others". I don't know what system was used to access the records inappropriately but I'll wager that there were many times more legitimate accesses to records in the system, hopefully benefiting patients. The big challenge for all of us in this business is to devise smarter and much faster ways of detecting inappropraite access and then close down access before much damage gets done and, of course, taken severe and very public disciplinary action against offenders.

Not surprising but at least we can tell!

17 Nov 09 21:11

Not surprising actually, but the only reason is because at last breaches of confidentiality can be monitored and steps taken to prevent it happening again. Philosophically were are all up in arms about recent confidentiality breaches but in fact we know nothing about the many years of probable unreportable, undiscoverable breaches of confidentiality with regards to paper records.

Governence of electronic record access?

hfdgp@aol.com

18 Nov 09 06:11

Is there a monitoring system in place to govern such events?

Chris Frith Hereford GP

Not an IT issue

18 Nov 09 09:11

Since the NHS began staff have been able to access confidential paper records with impunity and with nobody the wiser - records that contain the most private and intimate details. Remember the days when the GP's receptionist, who might have been your next door neighbour, knew all about your piles?

Current electronic record systems offer much greater protection of confidential patient data AND an audit trail that means unauthorised access is exposed. (The value of the audit trail is also demonstrated in another of today's news items - where a nurse allegedly falsified information in an incident at Holloway Prison.)

So blame the lack of good information governance at this trust - but not the fact that the data was on a computer.

Smartcard access?

18 Nov 09 10:11

This employee had a smartcard and was supposedly only given access to anonymised data - what was the Registration Authority thinking of, giving them the ability to access individual patient records?

Paper records are kept in one place, and you cannot access more than one at a time, or search through vast numbers looking for a target. The bigger the database of patient records, and the more people having access, the more it will be abused - that's human nature.

The audit trail must pick these up, but of course it is too late by then. What is needed is information governance accreditation for all PCT staff on a yearly basis, with smartcards removed if they do not pass it. But I don't hear that being proposed anywhere.....

The real question

18 Nov 09 13:11

The question that should be asked is how this individual managed to access so many records over such a long period without being identified!

Does NHS Hull have access to the entire GP patient record?

maryhawking@tigers.demon.co.uk

19 Nov 09 08:11

It sounds as though this individual was working on aggregated data but accessed individual patient records (btw I agree with previous poster: if this was via smartcard access, why was the RBAC set to allow this access?).

"A primary care trust employee, who was authorised to use collated and anonymous patient data for research, but not permitted to access individual patient records, accessed a total of 358 across 20 GP practices."

Does this mean that NHS Hull has access to the entire medical records of all patients in these practices, or does it mean that the individual concerned accessed patient identifiable data which had been passed to the PCT for other purposes such as management (e.g. diabetic retinopathy screening) or payment e.g. validating PBC claims? If the later, the amount of information accessed would be very limited!

If the former, who controls access to individual medical records? The PCT or the practice? And if it is in fact the PCT, what price the NHS Code of Confidentiality, Data Protection, the role of the Data Controller and Duties of a Doctor (GMC)? or informed patient consent? And what use does NHS Hull make of their apparently unlimited ability to access GP records?