Sefton PCT leaks personal details of 1800 staff

Tags: A Information Inquiry iS Liverpool PCT

12 Dec 2007

Almost two thousand NHS staff on Merseyside have had their personal details, including National Insurance, pension and salary details, accidently leaked after Sefton Primary Care Trust (PCT) sent them out to four unnamed organisations.

According to the PCT the information was sent to the organisations in November when they were bidding for services as part of a tendering process. The PCT declined to specify the nature of the services the organisations were bidding to provide

The PCT says 1,800 NHS staff were affected by the foul-up and has apologised for the mistake. An investigation has been launched to find out what went wrong.

Sefton PCT chief executive Dr Leigh Griffin told the Liverpool Daily Post it appeared the details were accidentally attached to a spread sheet sent to four firms bidding to supply services, who “immediately destroyed” the data when the mistake came to light.

Dr Griffin added: “We have had assurances from all the organisations who were wrongly sent the information that it was promptly destroyed. It is important to note that the details did not include any bank information or addresses, minimising risk to our staff”.

The PCT CEO promised a swift investigation: “We are conducting a full internal investigation so this mistake cannot and will not happen again.”

Dr Griffin has sent a letter to all staff apologising for the "accidental release of their personal data". However the PCT said it would not reveal who the four organisations were due to "commercial confidentiality".

Trade union Unite has called for an urgent investigation into why Sefton Primary Care Trust sent staff details out to the four unnamed medical organisations who were bidding to supply services.

Kevin Coyne, Unite national officer for health, told the BBC: "It is disgraceful that an organisation trusted to protect the highly personal and sensitive medical details of thousands of patients can expose their staff in such a dangerous way and then deny them the information of where the information has been illegally sent.

"This is a clear breach of the data protection law and if it was an accident, an inquiry must be launched into how and why such sensitive information was passed on to so many external organisations."

Dr Griffin concluded: “As soon as I became aware of this I launched an investigation to make sure this does not happen again and wrote to all 1,800 staff to apologise for this accidental release of data, to notify them of the investigation and to give them assurances.”

Jon Hoeksma

Readers Comments

Having a laugh

12 Dec 07 09:34

•Sefton PCT sending out thousands of staff details. •Leeds Building Society has mislaid information containing the personal details of its 1,000-strong workforce •The Driver and Vehicle Agency in Northern Ireland has lost the personal details of 6,000 people. •A laptop computer containing personal details of up to 60,000 people has been stolen from the Citizens Advice Bureau in Belfast. •And of course HMRC has lost sensitive personal and financial details affection 25 million people.

Those are, no doubt, just the tip of an iceberg.

And still CfH "expects" GPs to upload 50 million medical records into their hands without a fuss.....

what about the detailed care record?

maryhawking@tigers.demon.co.uk

12 Dec 07 13:13

"And still CfH "expects" GPs to upload 50 million medical records into their hands without a fuss....." Just a thought. This refers to the *summary* care record. Does anyone know where the *detailed* care record would be? I haven't seen any discussion about whether patient records can be held on/ transfered to the detailed care record (whatever that may be - the select Committee wasn't getting much help with definitions) without patient consent?

Now where did I put that data centre....?

12 Dec 07 13:22

The previous post seems to have missed a key point - that the incidents name checked largely involve data on portable devices or storage media, or data being copied between systems. I'm not aware of anyone mislaying data from industrial scale data centres with full backup, disaster recovery and audited access control. Are you really suggesting that my personal data is more secure on machine tucked under my GP's desk?

Confidentially

cclements1@mac.com

12 Dec 07 14:07

PCT said it would not reveal who the four organisations were due to "commercial confidentiality". So commercial confidentiality takes precedence over duty to staff. The companies need to be identified, not to attach blame to them but if the data is misused to help victims get redress. If the PCT is in breach of a contract by releasing this information then the companies can take the appropriate action. If any of the staff want to change their banking/financial details then the PCT should pay the costs. If this happens then the money should come from any possible performance bonuses that may be paid and not out of the funds for patient care. Telling everyone that the data was destroyed is no guarantee that someone did not copy the file.

re Now where did I put that data centre....?

preston.demendonca@nhs.net

12 Dec 07 14:08

"..Are you really suggesting that my personal data is more secure on machine tucked under my GP's desk?"

er....unlikely as it may sound; it probably is

RE: Now where did I put that data centre?

mat.jordan@nhs.net

12 Dec 07 16:20

'er....unlikely as it may sound; it probably is'

Perhaps you'd like to expand on why you think that is?

Because

Neil.Bhatia@nhs.net

12 Dec 07 16:53

330,000 people don't have access to the GP's PC

Probabilities

12 Dec 07 16:58

Perhaps I could join the debate here.

For the sake of argument, and assuming that each GP kept just their own patients' records on a computer under the desk (which I know is not the case), then any one computer would have just 1/30 000th of the population's records on it.

You then need to factor in the probability of any one GP's computer being hacked or stolen, bearing in mind the limited number of people with legitimate access privileges to it.

Now, assume that you have a database holding, or portal that gives access to a much larger pool of records - say 40 - 50 million.

You then need to factor in the probability of this system's security being breached, bearing in mind the number of people with access privileges.

On balance, I'd prefer my confidential records to stay under the GP's desk.

Re: Now where did I put that data centre

12 Dec 07 17:28

The point is not whether the data centre itself is insecure, but who has access to download vast quantities of data for legitimate purposes and over secure network connections, and what procedures are in place (and enforced) to prevent them then writing it unencrypted onto CDs and sending it through the post.

Not under the desk

13 Dec 07 10:36

As usual, the polarised views give a false position. As part of the Accreditation of primary care, I think there is a requirement that Practices have their server in a locked computer room on-site, and not under the GPs desk at all. From a minimising risk perspective, I am with the local practice brigade. Whether all match the best at Disaster Recovery and security, I doubt. But they do have the direct relationship and responsibility to their own patients.

But from a community nursing perspective, I talked to a matron yesterday who bemoaned the lack of remote access to the several GP practices she covers, such that she squanders time travelling to each to enter data about patients she has seen in their homes.

The current NPfIT deliverables fail mobile PCT staff working alongside GPs, and the current GP arrangements are often also a barrier to sensible use of clinical time.

Re: Not under the desk

13 Dec 07 10:49

Recent security breaches (HMRC, Sefton et al) might suggest that - in terms of data security risk to you as an individual - if your data was, in fact, on a GP's computer physically kept under his/her desk, you'd probably still be less at risk than if incoporated into the sort of larger and more widely accessible repository that NPfIT is aspiring to.

Fortunately, the chances of their aspirations ever materialising continue to look pretty slim ...... but that's another (long-running) story!

Issues of relevance

13 Dec 07 10:52

Comment number 9 seems to have made the critical point. Security issues around the 330,000 people that have legitimate access to the data is a different issue. If none of the 330,000 has the right to download Summary Care Record data onto a device that can be lost or stolen, then the fact that other government departments or companies have lost material in this way is of little relevance and has no bearing on whether GPs should object to uploading the SCR.

RE:Not under the desk

stressfreedave@hotmail.com

13 Dec 07 11:09

Actually, GPs can use remote servers. I tried stoping this happening with my data, but I had to leave the NHS to stop it. That was despite an agreement in the past that patients would be allowed to stop this and even restrict access.

Realy sad when PCT staff dont know the rules.

Re: Now where did I put that data centre?

13 Dec 07 16:00

Yes, it is obviously the case that 330,000 users won't be able to download large swathes of data, but presumably there will be a limited number of people who will have access to large swathes of data via reporting tools. Hence it is legitimate to ask what will stop these users doing an HMRC. It is also legitimate to ask how many of these users there will be.

missing the point, by accident or design?

13 Dec 07 17:52

Going back to the point of the article, were these not HR records held on a local system, as opposed to secure medical records?

In response to the bandwagon brigade, and especially he who opted out of the NHS (did you get a discount on your national insurance contribution?), perhaps people may want to discuss support staff access to all computerised systems - for example, staff from two of the largest primary care software suppliers can access anyone's data whether it be in a data centre or locked in a cupboard (contractual obligations exist to keep the cables plugged in). Plus, do you have any way of auditing data changes made through the database software as opposed to the clients used by practice staff? Another cracking example is one of these companies not bothering to change the admin password on their installations, so staff who left said supplier were able to crack the database for their new employer 5 years later. Please explain how the above are in any way a better situation than audited access of specific levels of information?

How about some FACTS?

14 Dec 07 08:20

"... to upload 50 million medical records...". No; it's extracts from 50 million records on three specific topics - prescribing, allergies and adverse reactions. The Big Opt-Out also continues to give the impression that everything in a GP clinical record is going to be uploaded. Let's have a debate by all means, but based on reality and not hype.

"... 330,000 people having access to the information" No; only a clinician with a legitimate need to know will have access to the sub-set of clinical information on the SCR. In addition, they will have to enter their reasons for looking at it on every occasion that they do so. All accesses to the SCR will be recorded in an audit trail. Patients have the right to see that audit trail. Patients can chose to have parts of the record locked down - the 'sealed envelope' - which is planned to be in place before the vast majority of England starts uploading data to the SCR. Patients can choose to have their demographic information on the Spine locked down so only their name and NHS number is viewable. Not quite "330,000 people having access to the data" is it?

GP Practices with a "... server in a locked room..." Really? Any idea of the percentage who actually do this?

The risk

liz.nasey@ubht.nhs.uk

14 Dec 07 11:29

Any system is only as strong as its weakest link and whether it's X million records or just one, in the wrong hands the effect is just the same.

It's unreasonable to expect that IT systems with clinical data on will go away. All staff need to be aware of the risks and exercise the kinds of precautions they take with their own personal data at home.

Up to 3000 patients' data stolen

14 Dec 07 12:40

See: http://news.bbc.co.uk/1/hi/wales/7143358.stm

Presumably this data would have been sooo much safer had someone remembered to tuck the laptop back under the desk or put it back into that locked room. Never mind, it's only 3000 people (or thereabouts) - thank goodness it wasn't all on a central database in a secure datacentre where someone might have walked off with the lot.

Trust

14 Dec 07 13:11

All this technical ballyhoo is missing the point. I trust my GP.

(post edited by EHI)

GP security.

14 Dec 07 13:25

I've worked with a number of GP system suppliers in the past, do they still offer a backup verification service? i.e. send us your backup tapes in the post and we'll examine the data to see if it's ok.

Of the sites I went on the majority had the servers in a quasi secure room which wasn't locked during the day and was used by staff for other purposes such as tea making, prescription data entry. The backup tapes were in a rack next to the servers. Only 1 had a specific room which was locked at all times.

More worryingly what security do pharmacies have around their data on you on their systems? In some pharmacies the machines were logged in all the time with a single user ID which everyone uses.

Now tell me the data is less secure in a data centre with proper user access controls and support staff signing a binding code of conduct.

My information

14 Dec 07 13:50

I would like my information to be available to any clinician involved in my care. I would like to control this. I cannot do this at present because it is either locked in my GP surgery or in my local hospital. This is not my GPs or the local hospitals data - it is my health data that I should choose who to share with - not have this decided by my GP.

I expect this data to be managed properly and I also want to be able to see who has accessed it. I also want to ensure that there is no chance it will be lost or destroyed by fire or taken home on a non encrypted backup tape by the practice manager. If I am not able to indicate that I want to share my information - due to illness - I would like the people caring for me to be able to see my information to minimise their chance of causing me harm (I do not want to become an accidental death statistic due to my reaction to the medication they used on me).

I could go on - but this whole discussion is so one sided and extreme. The national care record is not a black and white argument - but a complex weighing up of the benefits of immediate access to potentially life saving information versus the risk of inappropriate access/use.

My view is that it up to me what is shared and nobody else and from speaking to patients I know that the vast majority of patients will want their information available via the care record summary. Unfortunately on this kind of discussion board you do not hear from the silent majority - only those with an axe to grind. The early evidence from the summary care record sites seem to back this up with less than 1% choosing to opt out.

Your information

17 Dec 07 14:12

Then actively give your explicit consent for the uploading of your details to the SCR to your GP. Many GPs, though they might have serious concerns about the safety and use/misuse of uploaded data, would not necessarily stand in the way of patients who actively ask for their data to be uploaded, as long as 1) the software allows such individual uploads without 2) "having to" upload the entire practice's records as well with an "opt-out" process. If the software doesn't allow this, well then direct your frustration at CfH and not at your GP practice.

But just because you actively want your records uploaded doesn't mean that tens of thousands of other patients at your practice feel likewise, or would do were they to have been fully informed of and considered all the significant implications of doing so.

re: my information

17 Dec 07 15:01

Finally a sensible comment - this IS a complex area of risk/benefit anlysis. Unfortunately the debate seems to have been hijacked by hobby horse jockeys, an increasing feature of these postings that i, for one, find frankly depressing

Risk/Benefit

17 Dec 07 20:40

Indeed, it IS a complex area of risk/benefit analysis. And that's why explicit consent is necessary.

Condescending...

18 Dec 07 17:01

First we were 'privacy fascists'. Now we are 'hobby horse jockeys'. Come on...you can do better!

Even if the NHS management cannot develop and implement good IT systems, at least they can write punchy headlines for the red top newspapers!

Desperate dismissals from desperate people who treat us all like children for their own nefarious reasons.

An interesting debate

20 Dec 07 11:30

I havnt done the maths but a percentage of health care spend goes on directly treating someone and a percentage goes on that thing that everyone hates, administration. When anyone cuts budgets you can bet your bottom dollar (ok pound) that its the administration budget that gets cut. This has happened in the NHS year on year. So you end up with leaky and rubbish admin processes that 'lose' data. Big surprise.

I hear a lot of people wanting there data managed better. Good. So more management in the NHS then? Of course not, you want your cake and you want to eat it.

Management costs

nhstechie@btinternet.com

21 Dec 07 23:53

An interesting debate "20 Dec 07 11:12 I havnt done the maths but a percentage of health care spend goes on directly treating someone and a percentage goes on that thing that everyone hates, administration. "

By coincidence we covered this in a business studies course I did recently. Despite what you may read in the redtops, NHS management costs average 3% of turnover, US health management costs average 30% of turnover. Go figure!

I trust my GP.

23 Dec 07 20:34

So did the good people of Hyde!