Confidential health data of thousands of Dorset patients leaked by accident

Confidential health data of thousands of Dorset patients leaked by accident
Andrew Goldman
Thu, 10 February 2022, 5:00 am·3-min read
Health data breaches recorded in Dorset NHS trusts
Health data breaches recorded in Dorset NHS trusts
THE private data of thousands of NHS patients across Dorset was breached during a five-year-period – among the highest in the country.

A new study has shown Dorset Healthcare University NHS Foundation Trust (DHC) experienced the fourth highest number of data breaches in the UK, however the trust says this does not tell the whole story.

Security website VPNoverview.com sent out Freedom of Information requests to 229 NHS foundations across the UK regarding data breaches. Of those, 152 responded.

- ADVERTISEMENT -

This included DHC, which was found to have recorded 3,017 total data breaches from 2016 to 2021. A data breach is an incident where data is seen by an unauthorised individual or group, compromising the private nature of the information.

Often, the cause of these breaches is human error. Breached data ranged from medication, allergies, test results, and health conditions, to past and future referrals and appointments. The information is private, confidential and should not be divulged without the prior consent of the patient.

DHC also recorded the most breaches in the country between 2020 to 2021 at 672.

Dorset Echo: Poole Hospital and the Royal Bournemouth Hospital
Dorset Echo: Poole Hospital and the Royal Bournemouth Hospital
Poole Hospital and the Royal Bournemouth Hospital

However DHC told the Echo that of these instances, just 16 were actually reportable to the national Information Commissioners Office (ICO) – which would place the trust as among the best performing in the country.

Dave Way, data protection officer and information governance manager at Dorset HealthCare, said: “We take the security and management of data extremely seriously. Our staff process thousands of pieces of data every day, including entries into the patient record, prescriptions and letters to GPs or specialists, which we have to record on our systems. We encourage staff to report any incident, no matter how small.

“Of the incidents logged during 2016-21, only 16 were actually reportable to the national ICO, a figure which is on a par with the best performing trusts in the country. The ICO did not take action against us for those 16 incidents, either making recommendations or noting it was satisfied with the actions we had already taken.

“The vast majority of incidents reported internally are due to things such as outdated or incorrect contact details for patients, sometimes given to us by third parties. Nonetheless, we take all data incidents seriously and are continually looking for ways to minimise human error. Mistakes can happen but, by fostering a culture of staff reporting all incidents, we strive to learn from those mistakes and reduce the possibility of them happening again.”

Also in the top ten list for data breaches was South Western Ambulance Service NHS Foundation Trust (SWASFT), which recorded the seventh highest in the UK with 2,458 incidents.

Dorset Echo: SWASFT ambulance
Dorset Echo: SWASFT ambulance
SWASFT ambulance

SWASFT covers ambulance services for both BCP Council and Dorset Council.

However, a spokesperson from SWASFT said the majority of their recorded breaches were “low-level” and that a recent system issue fix had massively reduced the number of incidents.

They said: “We take the data protection of our patients, staff and suppliers very seriously.

“Although any data breach is unacceptable, the majority of the issues reported in the freedom of information request were low-level breaches, involving less sensitive information.

“The breaches in the report also reflect a systems issue that has since been resolved, which has resulted in a near 70 per cent reduction in reported breaches.

“We remain committed to protecting the privacy of the people we care for and work with, in accordance with the law and NHS best practice.”