NHS data breach hits 150,000 patients
Up to 150,000 NHS patients have had their confidential health records shared for years against their wishes, ministers have admitted. The information, including people’s NHS number and medical records, has been shared with other health bodies, universities and even private companies. Details of the serious data breach emerged as it was revealed that tens of thousands of Britons have had their personal details stolen in cyber attacks affecting companies including Fortnum & Mason, Travelodge and the internet bank Monzo.
UP TO 150,000 NHS patients have had their confidential health records shared for years against their wishes, ministers have admitted.
The Government yesterday revealed that NHS Digital, the national “safe haven” for patient data, accidentally disclosed sensitive information about patients to third parties.
The information, including people’s NHS numbers and medical records, has been shared with other health bodies, universities and even private companies. It represents the most significant data breach since the “care.data” scandal, another vast medical database which was closed after concerns about patient confidentiality.
The revelation came as it emerged that tens of thousands of Britons have had their personal details stolen in cyber attacks affecting companies including Fortnum & Mason, Travelodge and the internet bank Monzo. Details of the NHS Digital data breach were disclosed in the Commons by Jackie Doyle-price, the Health Minister.
In a written statement she said the NHS did not register the objections of some patients who had “opted out” of having their data shared with anyone not involved in their direct care.
A problem with software used by around a third of GPS to register the opt-outs means that the requests were not passed on to NHS Digital. The problem dates back to March 2015.
It was only identified last week, after the software was “recoded”, which removed the glitch and led to a sudden surge in the number of opt-outs that were registered. NHS Digital has pledged to write to all patients involved as well as their GPS to apologise.
Ms Doyle-price said: “NHS Digital recently identified a supplier defect in the processing of historical patient objections to the sharing of their confidential health data.
“There is not, and has never been, any risk to patient care as a result of this error.”
NHS Digital said the National Data Guardian, the Information Commissioner’s Office and the Royal College of GPS had all been informed of the error.
The problem affects about 10 per cent of the 1.6 million patients who opted out of having their information shared with anyone not involved in their direct care. Separately, it emerged that several high-profile companies have been hit due to a breach of a Spanish company used by businesses to run awards and online votes. It is believed hackers were able to access an online backup of the company’s records.
Victims included 23,000 shoppers at Fortnum & Mason, the upmarket grocer, which yesterday warned customers that postal addresses and emails were compromised by hackers.
Travelodge also admitted that details including birth dates and mobile phone numbers were affected, while Monzo, an online bank, said almost 20,000 of its customers had information taken.