NHS Digital grapples with 1.2 million patient data breaches

The news comes as NHS Digital approaches the end of a six month period during in which it agreed to remedy the unauthorised sharing of data under the now-defunct scheme.

The organisation has until 19 October to action around 1.2 million patient record opt-outs and a number of other key undertakings. The deadline was agreed with the Information Commissioner’s Office.

A paper from NHS Digital’s September board meeting said 47 of the 123 medical research information service customers and nine of the 28 non-MRIS customers that received unauthorised datasets had not responded to its request to destroy the data.

The paper also said 51 GP practices out of the 7,454 contacted had not yet submitted an up to date list of patients who have chosen to opt out of data sharing.

This means that although NHS Digital said it has repeatedly contacted those practices, it is unable to respect the data preferences of the patients.

In their undertaking to ICO, NHS Digital agreed to make patients “aware that it is possible that their personal data has been shared with third parties against their wishes” by 19 October.

HSJ asked NHS Digital if it had fulfilled its undertaking to contact the 1.2 million patients affected by the incident.

NHS Digital said: “We have been working in consultation with the Information Commissioner’s Office to ensure that we meet the requirements of the undertaking.”

Under the Care.data patients were offered the opportunity to opt out from having their data shared with other organisations.

Approximately 1.2 million patients signed up to the opt-out under a “type 2 objection”, which said personal confidential information relating to them should not be disseminated or published by NHS Digital for purposes beyond their direct care.

According to the ICO, NHS Digital was not able to process these type 2 objections for “legal and technical reasons”, and confidential information was passed on to a variety of customers.

By sharing type 2 data with these third parties, NHS Digital breached the Data Protection Act, the ICO found.

In April, NHS Digital signed an ICO undertaking committing to taking seven steps to remedy the problem. These include:

• contacting all 1.2 million patients who opted out to tell them their data may have been shared against their wishes;
• contacting all customers who received unauthorised data sets from NHS Digital between January 2014 and April 2016 to inform them that, where possible, the data must be destroyed, deleted or replaced with a new dataset; and
• establishing and operating a system to successfully process and uphold type 2 objections.

NHS Digital board papers published this month detail actions taken to fulfil the undertakings. These include:

• contacting 123 MRIS studies and 28 non-MRIS customers that received unauthorised data from NHS Digital, to instruct them to destroy any unused data;
• successfully developing a way of “cleaning” data files prior to dissemination, to completely remove the records of patients who have opted out and assure those patients that their files have been completely removed; and
• increasing the proportion of GP practices collecting patient opt-outs to over 99 per cent of all GP practices – ensuring that most patients are informed of their options to opt-out.

CORRECTION: This story was updated on 28 September to reflect that 1.2 million patients have registered Type 2 objections, not 700,000 as previously reported.