Alex Matthews-King reports in Pulse that the NHS is overriding 700,000 patient opt-outs to GP data being shared. The Health and Social Care Information Centre has said that 700,000 patients registered an objection to their identifiable information being passed from the HSCIC to a third-party before the aborted roll-out of in March 2014.  However, it admitted that it doesn’t currently have the resources to deal with this volume of objections and thus it has not been possible to implement the patient opt-outs. Dr Beth McCarron-Nash, who leads on for the General Practitioners Committee, told Pulse: ‘Obviously, if there are technical difficulties that HSCIC are experiencing, they must be resolved, and it is their responsibility to make sure patients are protected. But basically it’s a mess.’

NHS overriding 700,000 patient opt-outs

Neal Keeling reports in the Manchester Evening News that an investigation has been launched after scores of hospital staff at Salford Royal Hospital allegedly broke data protection rules to look at a colleague’s medical records. The person’s records were accessed via the Electronic Patients Record system which was installed two years ago.  Some 7,000 health care professionals have access to the system which is supposed to have a high level of security control, with users receiving formal training in information governance on an annual basis. The member of staff whose records were viewed had been admitted to the hospital for treatment a few months ago and is now believed to have commenced legal action against the hospital.

Hospital staff breached rules to view colleague’s medical records

The medConfidential campaign has issued a press release following the publication of the Independent Information Governance Oversight Panel (IIGOP) on the scheme. The report lists 27 areas of concern for the Programme Board to address, which contain some 52 unanswered questions.  In addition, there are seven additional tests that the recently announced pathfinder Clinical Commissioning Groups (CCGs) must meet. MedConfidential highlights that the sheer number of unanswered questions indicates just how fundamentally misconceived was from its inception, and at this stage – 10 months after the programme was stopped – suggests continued mishandling by those running the scheme. The IIGOP report can be found here.

27 fundamental areas of concern remain with scheme

MedConfidential published a background briefing concerning and related issues, for the Health Select Committee meeting on held on Tuesday 9th December 2014. This covered amongst other things (1) MedConfidential’s proposed amendment to the role of the National Data Guardian, (2) the lack of the patient opt-out still not being on a statutory basis and (3) the situation with consent around the use of hospital data within A recording of the Committee meeting can be found here.

MedConfidential Background Briefing for Health Select Committee – December 2014

Big Brother Watch have issued a report on NHS data breaches.  It reveals that from the 1st April 2011 to 11th November 2014, there have been at least 7,255 breaches which is the equivalent to six breaches every day. As well as considering the number of data breaches within the NHS, the report reflects on the legislation that is in place to address them, highlighting that the Data Protection Act 1998 (DPA) has a number of flaws that must be corrected. Big Brother Watch proposes three measures that should be introduced, including introducing the option of custodial sentences and criminal records for the worst offenders and providing better training.

Patient Confidentiality Broken Six Times a Day

Kat hall reports in the Register that some NHS trusts have failed to put agreements in place with Microsoft for extended security support for Windows XP. A majority of NHS trusts still operate Windows XP based machines and have signed up to a Cabinet Office agreement with Microsoft to provide ongoing security upgrades until April 2015; however, 18 trusts have so far failed to sign the agreement. The article highlights that a total of 1.1 million PCs and laptops are estimated to be running Windows at trusts, GPs and other health groups that comprise the NHS in England.  The security risks from a lack of security support depend on factors such as how many non-upgraded machines are on the networks, the effectiveness of perimeter defences and the availability of suitable exploits for an attacker to use.

Patient records open to hackers due to NHS Trusts failing ...

Sophie Borland reports in the Daily Mail,that Health Inspectors from the Care Quality Commission (CQC) making checks on GPs’ surgeries, are routinely looking through patient medical records without seeking the consent of patients. The CQC claims it was granted legal powers to see the files without seeking consent under the Health and Social Care Act 2008. Dr Chaand Nagpaul, chairman of the British Medical Association’s GP committee, said: “The confidentiality of private medical information is the basis of the trust that patients put in their family doctors and it is vital that this is not compromised. If CQC inspectors want to have access to the private medical records of patients they need to put in place systems that obtain the explicit consent of patients.”

Watchdog is snooping on ‘private’ medical data

Graeme Burton reports on the Computing website that the NHS is to go ahead with the medical records data upload which has been on hold for the past six months due to concerns from privacy campaigners and GPs. NHS England is now planning pilot schemes in six areas across the country covering up to 265 surgeries and 1.7 million patients. The areas include Hampshire, Blackburn and Darwen in Lancashire, Leeds and Somerset, with the full scheme being rolled out shortly after. However, campaigners remain concerned that the method of data anonymisation is not robust will not protect patients from identification.

NHS England to forge ahead with ‘unchanged’ plans

Reuters reports that Community Health Systems Inc., one of the largest providers of Health Care in the US, have been victims of a cyber attack in April and June of this year resulting in the loss of personal data belonging to 4.5 million patients. The cyber attack is believed to have originated from China and involved a hacking group called “APT18” which is believed to have links to the Chinese government.

US Hospital group loses patient data in cyber attack

Alex Matthews-King writes in Pulse that the Information Commissioner believes that General Practitioners should consider the notifying their patients about as being “good customer service” and not as a “legalistic tick-box”. However, GP leaders have said this underestimates the strain it will put on practices to notify patients without additional funding.  Dr Grant Ingrams, deputy chair of the GPC’s IT subcommittee and a GP in Coventry told Pulse: ‘From the ICO’s point of view, GPs are the data controllers. So from their point of view, because we’re data controllers we’re the ones who need be sure that what needs to be done has been done.’ ‘From my point of view, that’s fine. But unless the NHS is going to fund that or provide the resources to do that, as in they do it on our behalf, or they fund us to do it, I don’t mind. Then it makes […]

GPs’ responsibilities amount to ‘good customer service’

Caroline Molloy writes for Open Democracy about three amendments on proposed by Professor Allyson Pollock and Peter Roderick: To address concerns and ensure data is available for genuinely medical and public health purposes, the authors have drafted three amendments which they are urging the Lords to adopt: “To keep confidential patient data in the public sector unless commercial organisations have express consent” and can demonstrate data are required for express medical purposes as set out in the law currently; “To put the Caldicott Independent Oversight Panel on a statutory footing with a duty for its advice to be taken into account”, and “To ensure independent or parliamentary oversight of directions to the Health and Social Care Information Centre and the accreditation scheme.” Prof Pollock explains: “These amendments will stop commercial exploitation of patient data and ensure there is proper scrutiny of commercial companies’ activities but they are still not […]

Three crucial safeguards for medical records proposed by leading voices ...

Margaret McCartney, a general practitioner in Glasgow, writes in the British Medical Journal: Why is, the government’s flagship NHS patient data programme in England, floundering? It’s consent, stupid. Most citizens who were asked hadn’t heard of the scheme. Consent to upload individuals’ medical records was sought by sending a leaflet, which was typically lost among a heap of pizza delivery menus. People who had opted out of receiving junk mail did not get it at all. The few who read the leaflet would have found that it didn’t even mention “” Also, it was heavy on assumed benefits (“find more effective ways of preventing, treating and managing illnesses”) but light on potential harms. It did not mention who would handle the data extraction (Atos), that records could be sold to private sector businesses, or the risk of re-identification by third parties and how this would be mitigated. doesn’t care enough about consent

Laura Donnelly writes in the Daily Telegraph: On Thursday the board of HSCIC announced that it will conduct an immediate audit of all data ever disclosed by the central NHS authorities. In April it will disclose details of the data released by HSCIC. Details of data released by its predecessor organisation are expected to be published the following month. The report will set out what was released and why, and in future, records of such decisions will be released quarterly. Officials said they were taking the steps in order to “improve the transparency of its decision-making and build public trust in its actions.” They said the measures were being introduced following the concerns raised by MPs last week The audit will be led by Sir Nick Partridge, a Non-Executive Director on the HSCIC Board and former Chief Executive of the Terence Higgins Trust.

Review to probe sale of NHS medical data

Jon Hoeksma writes in EHI magazine: Health leaders gathered in Manchester for the Healthcare Innovation Expo look set to have their future-gazing overshadowed by the disarray over, after a truly disastrous week for the open data initiative. A fortnight ago, NHS England was forced to announce a six-month delay to the project to link the Hospital Episode Statistics to other databases and make the information available to researchers and others, after a public outcry about the lack of consultation on the plans. But the commissioning board had begun a fight back in defense of the programme, with a major communications campaign promised in an otherwise fraught session at the Commons’ health select committee, and tough new legislation unveiled by health secretary Jeremy Hunt. Despite this, by the end of the week, and its chief architect and champion Tim Kelsey, NHS England’s director of patients and information, was being […]

A bad week in the bunker for