HSCIC admits to four HES data breaches

The Health and Social Care Information centre has admitted to repeated data breaches involving the Hospital Episode Statistics.

Documents obtained by MedConfidential in response to a Freedom of Information Act request say the HSCIC has records of one data breach for every year between 2009 and 2012.

The pressure group says it submitted the request after NHS England’s director of patients and information, Tim Kelsey, told Radio 4’s Today programme that use of HES was covered by such strict rules that “in 25 years, there has never been a single episode in which the rules… have ever compromised a patient’s privacy.”

Kelsey made his comments while defending the care.data programme, which will expand HES, add GP and other datasets, and then make the information available to researchers and other organisations.

Patients will be given the chance to opt-out after an information campaign. GP extractions were due to start this spring, but are on hold until October because of a huge row about the organisations that will benefit from the programme, and the opt-out arrangements.

Among the documents that the HSCIC has released to MedConfidential is a 130 page report on one of the data breaches.

This occurred in 2011, when an unencrypted laptop used by the London Health Observatory to access HES Online data was stolen from a store room that had been left unlocked.

The laptop was not encrypted and contained imperfectly deleted data that “included full postcode and patient age for Hospital Episodes in 2009-10 throughout England”.

At the time, the Sun claimed that data about 8.6m patients was on the laptop. The HSCIC has not confirmed this. 

However, in a press statement issued overnight it stressed that its predecessor, the NHS Information Centre, had referred the incident to the Information Commissioner's Office, even though it was not responsible for the breach, "out of due dilligence."

The HSCIC has also issued futher information on the other incidents. It has said that in 2009, "a single member of NHS staff in a strategic health authority was inappropriately given access to identifiable information due to a technical error" when they should only have been able to access pseudonymised data.

In 2010, information was supplied from the 1939 register about a person who was not deceased, which is not an authorised release. And in 2012, a customer authorised to receive HES data securely from the NHS IC on a disc posted the information to their home address, which was not permitted.

Since November 2012, all information has been sent electronically by Secure Electronic File Transfer. In the statement, the HSCIC stressed that "it is committed and legally bound to the very highest standards of privacy, security and confidentiality" and that it regularly reviewed its systems and security processes.

However, Phil Booth, coordinator of MedConfidential, and a member of the care.data independent advisory group said: “Despite claiming a perfect record for security, we now find that patients’ hospital information has been breached multiple times.

“Were a computer containing such sensitive information to be sold on eBay or make its way onto the black market, who knows how many patients’ lives and privacy would be permanently wrecked.”

He called for an end to providing details of sensitive health records outside the NHS. “Fifty million patients’ medical records are a national treasure. It’s time they were treated as such.”