NHS glitch led to 150,000 patients' data accidentally shared against their will

The coding error in a piece of software developed by TPP had gone undetected since 2015

Clinician's computer meltdown

A software glitch has resulted in up to 150,000 NHS patients' data being unwittingly shared against their will, a government minister has disclosed.

Due to a coding error in the SystmOne application, made by developer TPP, 150,000 data sharing preferences set between March 2015 and June 2018 in GP practices running the software were not sent to NHS Digital, according to Jackie Doyle-Price, parliamentary under-secretary of state for health.

Delivering a statement in parliament on Monday, the minister added the data was used in clinical audit and research settings against the 'Type 2 objections' patients had set - and was shared by NHS Digital between April 2016, when this data-sharing process was enabled, and 26 June 2018.

"TPP has apologised unreservedly for its role in this matter and has committed to work with NHS Digital so that errors of this nature do not occur again. This will ensure that patients' wishes on how their data is used are always respected and acted upon," said Doyle-Price.

Advertisement
Advertisement - Article continues below

"There is not, and has never been, any risk to patient care as a result of this error. NHS Digital has made the Information Commissioner's Office and the National Data Guardian for Health and Care aware."

NHS Digital manages the contract for GP Systems of Choice, and oversees TPP's involvement, on behalf of the Department for Health and Social Care (DHSC).

The health service's digital arm said it will be writing to all affected patients to make them aware of the issue, and that all objections are now being honoured.

"We apologise unreservedly for this issue, which has been caused by a coding error by a GP system supplier (TPP) and means that some people's data preferences have not been upheld when we have disseminated data," said NHS Digital's director of primary and social care technology Nic Fox.

"The TPP coding error meant that we did not receive these preferences and so have not been able to apply them to our data. We worked swiftly to put this right and the problem has been resolved for any future data disseminations."

'Type 2 objections', which is in the process of being phased out, has been replaced by a national data opt-out for patients across England to mark their preferences on their sensitive data being used in research and planning.

Released on 25 May to coincide with the enforcement of GDPR, the preferences collected by the new tool will apply to health and social care organisations' data-sharing decisions from 2020.

On the new system, Doyle-Price continued: "This has simplified the process of registering an objection to data sharing for uses beyond an individual's care.

"The new arrangements give patients direct control over setting their own preferences for the secondary use of their data and do not require the use of GP systems, and therefore will prevent a repeat of this kind of GP systems failure in the future."

The incident follows two deals NHS Digital recently struck to enhance cyber security and patient privacy across the health service in England, with IBM and Privitar respectively.

Advertisement
Advertisement - Article continues below

NHS Digital's deal with Privatar, in particular, is geared towards boosting the level of patient privacy with the rollout of De-ID, a software that enables the de-identification of sensitive patient records.

The system will work by separating a patient's identity from their personal information, so it can be shared with other healthcare organisations, in a consistent way across the health service, as opposed to the several models working in isolation at the moment.

A three-year contract with IBM, reportedly worth 30 million, meanwhile, will give the NHS access to an array of advanced security tools to in a bid to enhance the health service's cyber security credentials after last year's WannaCry attack.

The latest incident will represent another reputational blow for the health service, already struggling to overcome its record for mishandling patient data and failing to adequately respect patient privacy; one example manifesting as the DeepMind controversy, in which patient data was shared with Google's AI project without their consent.

"TPP and NHS Digital have worked together to resolve this problem swiftly," said Dr John Parry, clinical director TPP.

"The privacy of patient data is a key priority for TPP, and we continually make improvements to our system to ensure that patients have optimum control over information. In light of this, TPP apologises unreservedly for its role in this issue."

IT Pro has approached the Information Commissioner's Office (ICO) to ask whether it would be investigating the matter.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Recommended

Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019
Visit/backup/33385/arcserve-udp-9240dr-review-beef-up-your-backups
backup

Arcserve UDP 9240DR review: Beef up your backups

4 Apr 2019

Most Popular

Visit/security/identity-and-access-management-iam/354289/44-million-microsoft-customers-found-using
identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019
Visit/business/business-strategy/354195/where-modernisation-and-sustainability-meet-a-tale-of-two
Sponsored

Where modernisation and sustainability meet: A tale of two benefits

25 Nov 2019