HSCIC warns of HES confidentiality

  • 4 July 2014
HSCIC warns of HES confidentiality
The HSCIC will action patient opt-outs of data sharing on 29 April

The Health and Social Care Information Centre has asked a “significant” number of trusts to delete data containing Hospital Episode Statistics returns that could breach patient confidentiality.

The issue relates to HES data returns submitted to the HSCIC, which have been found to include fields that contain patient identifiable information.

The HSCIC has declined to reveal the scale of the problem, but describes it as being “long-standing” and “low-impact”.  It has written to trusts asking them to make contact for details of how to deal with the problem.

Andy Williams, chief executive of HSCIC, told EHI: “The issue relates to HES data returns from trusts with confidential data in place that shouldn’t have been there.  We want to get the issue sorted as quickly as possible.”

EHI understands the patient identifiable data has been included in one or more free text fields included in HES returns, but which are not processed by HSCIC.

“One trust has had more than one patient indicator in this free text field.  Others have had one or two,” said an HSCIC spokesperson.

In a letter sent in early June to trusts that received the data, the HSCIC said it had discovered “a number” of NHS organisations were sending data values that do not meet NHS Data Dictionary Standards.

The letter says the trust is working with the sending organisations to prevent the flow of the information, and asks the trusts to nominate a staff member tasked with ensuring the affected data is deleted promptly.

It says it has referred the matter to the Information Commissioner’s Office, and is working to prevent “individuals with malicious intent” trying to access the data.

In April, the HSCIC admitted to four separate HES data breaches in response to a Freedom of Information Act request from medConfidential.

At the time, the pressure group said it submitted the request after NHS England’s director of patients and information, Tim Kelsey, told Radio 4’s Today programme that use of HES was covered by such strict rules that “in 25 years, there has never been a single episode in which the rules… have ever compromised a patient’s privacy”.

Terry Hill, the HSCIC’s programme head for operations and assurance services, told EHI the latest problem has been “a long-standing issue for a number of years” but has only now been noticed.

“What I’m willing to say is, probably for the last 10 years we’ve had a problem of one level or another that’s now being addressed.”

Hill said the problem, while being treated seriously by the HSCIC, the ICO has assessed it as “low-impact” due to the level of complexity required to exploit the data.

“If you opened up the data which was sent out to organisations, you’d have to have deep knowledge of the systems, mine the data and put together several complex pieces of information.”

He would not answer questions about how many trusts have received or sent the data, or their identities, but said the HSCIC has been speaking to a “significant” number of trusts about the issue.

There is no specific date by which all trusts must delete the data, but Hill said the affected organisations have been helpful when approached by the HSCIC.

“Once we’ve contacted them, they’ve been very positive in addressing this.”

Hill said the issue has not had any impact on the flow of HES data, which has recently been disrupted by the Partridge Review.

He said the HSCIC is working closely with the ICO, and is preparing a response to a “large number” of questions and requests for information about the matter.

“We take any incidents of this nature extremely seriously, and we’re looking to close it down in as short a time as possible.”

An ICO spokesperson told EHI the office is “currently looking into a small number of possible data breaches related to information shared by the Information Centre”.

Subscribe to our newsletter

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Sign up

Related News

Advanced fined £6m over stolen patient data in 2022 cyber attack

Advanced fined £6m over stolen patient data in 2022 cyber attack

The Information Commissioner’s Office has imposed a £6.09m fine on Advanced for failing to protect personal information during a cyber attack.
ICO guidance on transparency published for health and care sector

ICO guidance on transparency published for health and care sector

New guidance has been issued by ICO over how health and care organisations should be transparent over the use of personal information.
Joined Up Care Derbyshire partner with Doccla to launch virtual wards

Joined Up Care Derbyshire partner with Doccla to launch virtual wards

Doccla, a virtual ward provider, has announced a new partnership with Joined Up Care Derbyshire to introduce a transformative approach to healthcare.