PERFORMANCE: Inadequate IT security at NHS Birmingham East and North left data relating to “thousands of individuals” exposed, as well as “high level information” concerning patients.

The primary care trust has been told by the Information Commissioner’s Office that it breached the Data Protection Act by failing to restrict access to files on its IT network.

The breach led to some NHS staff at the PCT and two other NHS organisations nearby potentially being able to access restricted information.

The ICO’s acting head of enforcement Sally-Anne Poole said: “The ICO’s investigation has found that, while most of the files were not easily accessible and some security restrictions were in place, file security in general was inadequate.”

NHS Birmingham East and North reported the breach to the ICO in September last year after discovering that electronic files, stored on a shared network, were potentially accessible.

Ms Poole said: “The files contained information relating to thousands of individuals, including members of staff. Although health records were not compromised as part of the breach, the files also contained some high level information relating to patients.”

NHS Birmingham East and North chief executive Denise McLellan has signed an undertaking to ensure that adequate technical security measures are in place to prevent unauthorised access to personal data.

The PCT will also ensure that comprehensive policies are established regarding the storage and usage of personal data and that staff receive the necessary training on how to follow them.

Ms Poole said she welcomed the move. She added: “It’s vitally important that IT networks storing personal information have robust security measures in place. Whilst nobody outside of the [PCT]environment was able to access the files, problems with the security of the network still led to a situation where sensitive information was potentially available to NHS staff that did not need it to carry out their daily role.”