150,000 patients exposed in NHS data breach

Monday, 9 July, 2018

The NHS confirmed it had recently suffered a major data breach that left 150,000 patients’ sensitive health-related data exposed.

It transpired the data breach took place through a coding error in the software used by GPs. The software is called SystmOne and the error affected patients who had opted-out of sharing their data the NHS collated from across health and care services.

According to sources, patients’ objections were correctly recorded, but NHS Digital never received the details. As a consequence, the data was inadvertently shared without the patients’ consent.

The Information Commissioners’ Office (ICO) has been notified and they have instigated an investigation.

This latest incident demonstrates the varying nature of data breaches. Although this particular event wasn’t malicious, the outcome is still the same. Sensitive data that was meant to be kept private was shared with recipients that had no business to have it.

Like many organisations, the NHS’s IT infrastructure is vast and unwieldly, so it needs to deploy a single encryption platform that can deal with an array of individual devices and operating systems.

The NHS is committed to delivering patient-centred care. Unfortunately, in today’s world, that means caring for our data, as well as our health, both of which are extremely difficult things to deliver.

- Luke Brown: VP EMEA, WinMagic

According to Health Minister, Jackie Doyle-Price the error has now been rectified. And the NHS said it would write to affected patients as well as their GPs. The NHS was at pains to confirm that the incident had not affected patient’s personal care and treatment.

The latest embarrassment for the NHS comes after last year’s massive breach involving the records of 26 million patients. Again, this involved the IT systems used by GPs.

At the time the issue revolved around doctors switching on ‘enhanced data sharing’ so that patient records could be seen by the local hospital. Unbeknown to the doctors the system allowed anyone the unathorised potential to view them as well.

The data breach also comes just two months since TTP, the developers of SystmOne Enhanced Data Sharing Model that is at the heart of the GP-centred data share IT, announced new functional tools for General Practices.

At the time they boasted these tools will support GP data controllers and ensure they can confidently activate and control the sharing of patient records to support care.

A TPP spokesperson said the company is now in talks with the ICO, NHS Digital and NHS England about the issues.

Image: University of Liverpool Faculty of Health & Life Sciences

Tim Bamford author picture


Tim is a veteran freelance journalist writing extensively on internet news and cybersecurity.