NHS shared details of 150,000 patients against their wishes
UP to 150,000 NHS patients have had confidential medical data given to private firms and academics against their wishes, it was revealed yesterday.
The error occurred when an IT firm used by GPs failed to tell NHS officials that those involved did not want their details to be shared.
The information included dates of birth, addresses, postcodes and NHS numbers but not names. It was passed to outside organisations including universities, councils and analytical firms working for drug companies.
The mistake, which continued for three years, was disclosed by the Government yesterday and is hugely embarrassing for the NHS as it marks its 70th anniversary on Thursday. Ordinarily, information from personal medical files, including diagnoses and hospital visits, is passed to NHS Digital, which controls patient data. Outside bodies such as universities, health watchdogs and private analytical firms can apply to use it for research.
But approximately 1.6 million patients have opted for their data not to be shared – about 2.7 per cent of the 60 million patients registered with GPs in England.
Health minister Jackie DoylePrice has admitted that data from 150,000 of these patients had been passed on against their wishes.
The data breaches from March 2015 to June 2018 were the fault of TPP, a private company running IT systems in up to 40 per cent of GP surgeries in England.
It failed to inform NHS Digital that patients had requested for their data not to be shared for any purposes other than their medical care, known as a ‘type 2 opt out’.
A spokesman has apologised ‘unreservedly’ to patients. But campaign group Med Confidential called for greater transparency in how medical files are shared by the NHS. Spokesman Phil Booth said: ‘That NHS officials failed to notice for over three years that one of their recommended IT suppliers wasn’t uploading patients’ opt-outs is bad enough.’ He then said the fact that patients’ identifiable information was handed to ‘commercial re-users’ was ‘ an absolute scandal, a betrayal of the very trust they are supposed to be rebuilding’.
A British Medical Association spokesman said: ‘It’s imperative patients are able to control what is done with their information.’
Organisations given patient data from NHS Digital in the past year are consultancy firm Capita and Harvey Walsh Ltd, an IT firm which works on behalf of drugs companies. Others include Cambridge University, University College London and the Royal College of Physicians.
In 2013 the public’s confidence was further undermined over a scheme called Care Data. NHS officials wanted to upload medical details onto a central database to be used for research, including confidential discussions with GPs. But the scheme was scrapped in 2014 after opposition from doctors’ leaders and privacy campaigners, highlighted by the Mail.
Dr John Parry, clinical director at TPP said: ‘TPP and NHS Digital have worked together to resolve this problem swiftly. TPP apologises unreservedly.’