The Health and Social Care Information Centre has asked a “significant” number of trusts to delete data containing Hospital Episode Statistics returns that could breach patient confidentiality.
The issue relates to HES data returns submitted to the HSCIC, which have been found to include fields that contain patient identifiable information.
The HSCIC has declined to reveal the scale of the problem, but describes it as being “long-standing” and “low-impact”. It has written to trusts asking them to make contact for details of how to deal with the problem.
Andy Williams, chief executive of HSCIC, told EHI: “The issue relates to HES data returns from trusts with confidential data in place that shouldn’t have been there. We want to get the issue sorted as quickly as possible.”
EHI understands the patient identifiable data has been included in one or more free text fields included in HES returns, but which are not processed by HSCIC.
“One trust has had more than one patient indicator in this free text field. Others have had one or two,” said an HSCIC spokesperson.
In a letter sent in early June to trusts that received the data, the HSCIC said it had discovered “a number” of NHS organisations were sending data values that do not meet NHS Data Dictionary Standards.
The letter says the trust is working with the sending organisations to prevent the flow of the information, and asks the trusts to nominate a staff member tasked with ensuring the affected data is deleted promptly.
It says it has referred the matter to the Information Commissioner’s Office, and is working to prevent “individuals with malicious intent” trying to access the data.
In April, the HSCIC admitted to four separate HES data breaches in response to a Freedom of Information Act request from medConfidential.
At the time, the pressure group said it submitted the request after NHS England’s director of patients and information, Tim Kelsey, told Radio 4’s Today programme that use of HES was covered by such strict rules that “in 25 years, there has never been a single episode in which the rules… have ever compromised a patient’s privacy”.
Terry Hill, the HSCIC’s programme head for operations and assurance services, told EHI the latest problem has been “a long-standing issue for a number of years” but has only now been noticed.
“What I’m willing to say is, probably for the last 10 years we’ve had a problem of one level or another that’s now being addressed.”
Hill said the problem, while being treated seriously by the HSCIC, the ICO has assessed it as “low-impact” due to the level of complexity required to exploit the data.
“If you opened up the data which was sent out to organisations, you’d have to have deep knowledge of the systems, mine the data and put together several complex pieces of information.”
He would not answer questions about how many trusts have received or sent the data, or their identities, but said the HSCIC has been speaking to a “significant” number of trusts about the issue.
There is no specific date by which all trusts must delete the data, but Hill said the affected organisations have been helpful when approached by the HSCIC.
“Once we’ve contacted them, they’ve been very positive in addressing this.”
Hill said the issue has not had any impact on the flow of HES data, which has recently been disrupted by the Partridge Review.
He said the HSCIC is working closely with the ICO, and is preparing a response to a “large number” of questions and requests for information about the matter.
“We take any incidents of this nature extremely seriously, and we’re looking to close it down in as short a time as possible.”
An ICO spokesperson told EHI the office is “currently looking into a small number of possible data breaches related to information shared by the Information Centre”.