Five NHS bodies breach Data Protection Act

The Information Commissioner’s Office (ICO) has called on the NHS to do more to protect patient information, following a slew of breaches at the health service.

The ICO discovered five health organisations had breached the Data Protection Act, all of which had not taken “appropriate steps” to secure sensitive personal information.”

Information commissioner Christopher Graham said the NHS needed to initiate a “culture change” if security was to be improved.

“Recent incidents such as the loss of laptops at NHS North Central London - which we are currently investigating - suggest that the security of data remains a systemic problem,” Graham said.

“The policies and procedures may already be in place but the fact is that they are not being followed on the ground.”

In one of the five breaches discovered by the ICO, Ipswich Hospital NHS Trust lost 29 patient records after a member of staff took them home to update a training log and then misplaced them.

In another, Dunelm Medical Practice in Durham sent discharge letters about two patients’ routine operations to the wrong recipient, after an employee entered the fax number incorrectly.

The NHS has suffered numerous data breaches in the past, losing devices in public spaces such as a car park and a bus stop.

Reports last month indicated an NHS laptop containing 8.6 million medical records had gone missing.

“We fully support the information commissioner's call for improvement in local NHS practice in relation to preserving patient confidentiality,” a Department of Health spokesperson said.

“There is absolutely no excuse for breaches leading to the loss of sensitive and personal data. Encrypting information held on portable devices such as laptops and memory sticks is just as important as avoiding public conversations about patients' details.”

The NHS has signed a deal with Zscaler to implement at cloud security product within the health service, IT Pro revealed last week.