Somerset LMC reports confidentiality breaches

Somerset Local Medical Committee (LMC) has reported two ‘significant and worrying’ breaches of patient electronic data confidentiality, both by individuals working within NHS IT systems.

Dr Harry Yoxall, secretary of Somerset LMC, told EHI Primary Care that the systems involved were not supplied by NHS Connecting for Health, but in the first case a regular practice system and, in the second, a remote connection to a hospital lab system.

In the first case "an employee of a primary care system supplier used their employer’s access codes to open and inspect the GP clinical notes of a particular patient". The breach was detected by the PCT and local health information service by the use of monitoring software installed to record all access to the system.

Dr Yoxall said that the breach involved an employee of the supplier remotely accessing the system and viewing a patient’s record. He declined to name the practice or system supplier.

The employer moved swiftly to dismiss the individual concerned, and the PCT has confirmed that the practice’s system was not vulnerable to hacking by anyone else. Dr Yoxall said it was not known whether similar breaches may have happened in practices that were not keeping a log of external access.

The second reported breach is said to involve an NHS employee, who looked up their partner’s investigation results on the local hospital’s laboratory web browser, and then rang to make a GP appointment on their own to discuss them.

Dr Yoxall told EHI Primary Care that he suspected there were quite widespread breaches of confidentiality occurring through inappropriate access to records. "I suspect that a lot of NHS staff would like to look up their data such as test results, or those of a relative, friend or neighbour. I suspect that a lot of NHS staff, particularly those working in hospitals, do so without knowing they shouldn’t."

The LMC says that while there should be some reassurance that the confidentiality breaches came from people within the system, nevertheless "with literally hundreds of thousands of NHS employees and contractors having access to NHS data these events should wake us up to the fact that electronic data is at risk and should be guarded jealously."

It advises that anybody working in the health service should not access NHS information systems to look up anything that does not relate to the care of a patient being treated by the practice or service they are working for. This includes family members, even if they have given their consent.

"We would also strongly advise against looking up your own results – whilst, of course, you have every right to see these, it is much better to go through the proper channels."

The LMC secretary said that in his view the BMA’s position of opposition to the uploading of clinical records without specific patient consent seemed the right one to take."

Dr Yoxall said that the issue was that confidentiality breaches can and do occur."An individual can get caught, but the patient’s confidentiality is still breached. It makes us all stop and think."