NHS suffered six data breaches every day since 2011, study finds

Soaring number of serious incidents

The NHS has suffered more than 7,000 data breaches in the last three years, a rising volume of incidents that will only be tackled when prison sentences are handed down for serious offences, a study by campaign group Big Brother Watch (BBW) has argued.

After analysing Freedom of Information (FoI) requests sent to health trusts and authorities (including Scotland and Northern Ireland), a 92 percent response rate uncovered a total of 7,255 incidents that breached the Data Protection Act (DPA) severely enough for staff to be disciplined.

This was equivalent to an average of 2,481 breaches per year, or six every day, a dramatic rise compared to the three years prior to 2011 when a similar BBW study recorded only 806 incidents.

Breaking these numbers down by cause, 103 related to data theft or loss, 236 where data was inappropriately shared by letter or email, 251 with an unauthorised third party, and 124 were caused by an issue with IT systems.

In fifty cases, data was shared on social media, on 143 occasions data was accessed for 'personal reasons', and on 115 occasions staff were found to have accessed their own records.

This resulted in 32 staff resigning during disciplinary proceedings including 1 pending court case for a DPA breach, BBA reported.

The organisation also lists the ten worst offending Trusts, starting with South West Yorkshire Partnership NHS Foundation Trust (869 breaches), Taunton and Somerset NHS Foundation Trust (546), Cambridge University Hospitals NHS Foundation Trust (534), Northamptonshire Healthcare NHS Trust (346), and Bradford District Care (280). Mental health establishments seem to be a particular weak point.

The number of breaches underlined the difficulties faced by the care.data scheme, a programme designed to share patient health information across England, which many NHS users now had concerns about, BBW said.

"The information held in medical records is of huge personal significance and for details to be wrongly disclosed, maliciously accessed or lost is completely unacceptable," said BBW's director, Emma Carr.

"With an increasing number of people having access to patients' information, the threat of data breaches will only get worse. Urgent action is therefore needed to ensure that medical records are kept safe and the worst data breaches are taken seriously."

The failings underlined the limitations of the Data Protection Act, soon to be superseded in some of its provisions by the forthcoming EU General Data Protection regulation (GDPR) sometime after 2015.

Sanctions should also be tougher, with courts able to hand down prison sentences where necessary with serious offenders being given criminal records to avoid repeat incidents, she said.

However not all the abuse was deliberate and poor training was a root cause in some incidents.

"If the government wants to make the public's data more accessible, then this must go hand in hand with greater penalties for those who abuse that access. This should include the threat of jail time and a criminal record," said Carr.

The full report makes fascinating reading as a real-world take on data breaches, itemising every single breach that was reported as part of its research.

Incidents included a probation officer who gave the personal details of a domestic abuse victim to her abuser and was fined only £150 for the offence, and the NHS surrey computer that was bought at auction containing the records of 3,000 patients, resulting in a £200,000 ICO fine.

"Whilst fines may, at first, appear to be a sensible response, they quickly lose their impact on closer inspection," said the report in a possibly unintentional swipe at the ICO's impotent regime.

The BBW is correct to question the effectiveness of fines. The bigger sanction for private firms is simply embarrassment and loss of reputation. In many cases inside the NHS and public sector this rule is blunted by the fact that few members of the public ever find out about incidents.

Join the CSO newsletter!

Error: Please check your email address.

Tags Big Brother WatchNHSsecuritybrotherpublic sector

More about Cambridge UniversityEUFreedomICOWest

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E. Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place