Leaked ICO audit reveals data breach

A private medical company’s data breaches may have involved the personal information of up to 10,000 patients, according to an Information Commissioner’s Office report, leaked to the BBC.

The ICO report shows that Diagnostic Health Systems, which carries out ultrasound scans for the NHS, stored unencrypted patient data in its database.

According to the BBC, the ICO audit shows that although the company was made aware of the breaches by 26 June 2013, it continued to add data to its database for another month.

However, in an email to EHI, Diagnostic Health Systems’ chief executive Jonathan Leonard said the company identified the information governance issues in June 2013 and “took immediate action to rectify the situation.”

 He said it also worked with all of the company’s clinical commissioning group customers, for whom the company provides ultrasound scanning, to “voluntarily suspend service provision.”

“In addition we have worked transparently with our NHS commissioning clients throughout the process and can confirm that they are satisfied with all steps taken moving forwards. 

“As a result, our lead commissioner has confirmed that they are once again happy for us to resume providing services for their patients, and others are in the process of agreeing the same.”          

The audit also found that a company laptop stolen from a staff member at the company had not been reported to the ICO initially, and that company staff members shared passwords to access a storage account.

The BBC also reports that GP referrals were being emailed directly to staff email inboxes.

The ICO has decided not to publish the report because the Birmingham-based company consented to the audit and requested that an audit summary was not made public.

In a statement, an ICO spokesperson told EHI that the organisation has “limited compulsory audit powers”, and therefore require consent from companies before undertaking an audit.

“It is important that organisations are able to engage with us constructively during the audit planning process and we therefore commit to not releasing details of the report until the executive summary is published,” said the ICO spokesperson.

“Following our audit with Diagnostic Health Systems, we provided recommendations advising the organisation on the improvements it should make to the way it handles personal information. These recommendations are being acted upon and we are happy with their progress so far.”

In December last year an investigation by the Care Quality Commission found that the company did not meet the CQC’s standards on keeping people’s medical records accurate, safe and confidential.

The CQC’s report says that during its visit, staff said there was “no login or password needed for the ultrasound scanner”, and “people’s information was collected and stored on the scanner which meant that the provider was handling some patient information and scan images.”

 The CQC then spoke to the company, which said it did not class the ultrasound images as “patient information, but agreed that they were handling and storing these images which contained some personal details.”

The company also told the CQC that the lack of password protection would be investigated. Before its inspection the CQC received “concerns about the handling and storage of people’s information”.

“The provider agreed that there were significant gaps in their information governance systems and agreed that their national process respect of information management was not robust,” says the report.

The company has now taken action to ensure it complies with information governance standards.