NHS Staff Commits Hundreds of Data Breaches in Recent Years
Newly uncovered data from MailOnline reveals that NHS staff have made approximately 1,600 data breaches across the UK since 2021. These breaches include instances where staff mistakenly sent sensitive information to the wrong individuals and left confidential documents unattended. Additionally, cyber attacks and unauthorized access to potentially sensitive data were identified as significant causes of these breaches.
However, it is important to note that the figures obtained from the Freedom of Information request only account for the number of breaches, not the number of individuals affected. The Information Commissioner’s Office (ICO) has investigated 75 NHS bodies for these breaches, although it does not necessarily mean personal data was exposed or that the NHS was at fault. In many cases, the investigations concluded that no further action was required or that the ICO offered advice.
Nevertheless, MailOnline’s investigation, which spans until January 2023, uncovered that the most common breach involved unauthorized access to personal data, occurring 335 times. Over 250 incidents involved staff mistakenly faxing or posting data to the wrong recipients, while another 174 instances involved emailing documents to the incorrect person. This suggests that potentially thousands of patients may have been impacted beyond what the ICO’s numbers suggest.
This exposé comes shortly after it was revealed that more than 40 million voters’ data may have been stolen in the largest data breach in UK history. It was disclosed that hostile actors had access to the Electoral Commission’s systems for 14 months without detection. Similarly, a data breach of monumental proportions occurred in Northern Ireland, where data on thousands of officers and civilian staff were mistakenly revealed in response to an FOI request.
Furthermore, recent incidents within the NHS highlight the lack of data security. NHS Lanarkshire in Scotland received an official reprimand from the ICO last week due to staff members sharing patient data in an unsecured WhatsApp chat. Another NHS body accidentally shared patients’ HIV status, resulting in consequences, while a London trust was fined nearly £80,000 for a significant email error.
According to Phil Booth, coordinator of medConfidential, these figures demonstrate a pattern of avoidable mistakes with significant consequences. However, there is concern about whether affected patients were adequately informed, as the ICO does not ensure that proper communication occurs.
The data also revealed that NHS staff experienced loss or theft of devices or paperwork on 224 occasions, with one incident involving a brute force attack in 2022. Additionally, there were 101 instances where workers verbally disclosed private information, such as discussing a patient’s medical details in a public ward. Alteration of personal data was rare, with only 11 cases in three years, although it is unclear from ICO figures whether these changes were accidental or intentional. Furthermore, 36 breaches occurred when NHS staff failed to conceal the individual emails of recipients.
One notable incident involved Tavistock and Portman NHS Foundation Trust, which received a fine of £78,400 in July 2022. The trust mistakenly exposed the email addresses of approximately 1,780 patients while sending an email about an art competition. These breaches resulted in investigations of 75 NHS bodies by the ICO, although it does not imply that personal data was exposed or that the NHS was at fault. Nonetheless, five NHS bodies received formal reprimands as a result of these investigations.
Epsom and St Helier University Hospitals NHS Trust faced two reprimands, including one incident during the pandemic where a data entry error led to staff being incorrectly flagged as having the virus. This error resulted in multiple surgical operations being cancelled and the closure of local schools and nurseries. Another significant reprimand occurred when NHS Highland in Scotland mass-emailed 37 individuals who had accessed its HIV services, inadvertently exposing their email addresses to one another.
Other NHS bodies, including Bridgewater Community Healthcare NHS Foundation Trust and Warrington and Halton Hospitals NHS Foundation Trust, have also received reprimands in recent years. The NHS trust with the most ICO investigations since 2021 was Homerton Healthcare NHS Foundation Trust, which faced seven cyber-related incidents. The trust stated that these incidents were all phishing attacks by hackers, but they have implemented additional measures to improve data security.
An NHS England spokesperson emphasized the importance of health and care organizations adhering to legal data security standards and promptly reporting any breaches. It is crucial to prioritize patient data protection and learn from errors to prevent future incidents.
Denial of responsibility! VigourTimes is an automatic aggregator of Global media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, and all materials to their authors. For any complaint, please reach us at – [email protected]. We will take necessary action within 24 hours.
