The NHS has inadvertently shared the confidential data of 150,000 patients over a three-year period due to a coding error in one of the most common GP IT systems.

A data breach led to the NHS accidentally sharing the confidential health data of 150,000 patients. The breach was a result of a coding error in one of the most common IT systems used by GPs, TPP’s SystmOne.

The error meant that patients, who had opted out of having their information shared for purposes other than their direct care, did not have their objection sent to NHS Digital.

Data used in clinical research

As a result, the 150,000 patients who had submitted type 2 objections between March 2015 and June 2018, when the fault was discovered, have accidentally had their data shared by NHS Digital for use in clinical audit research.

In a statement to members of Parliament (MPs), parliamentary undersecretary for health, Jackie Doyle-Price, said the error was “swiftly rectified” once it was discovered on 28 June.

“NHS Digital will write to all TPP GP practices to make sure they are aware of the issue and can provide reassurance to any affected patients. NHS Digital will also write to every affected patient. Patients need to take no action and their objections are now being upheld,” she said. “There is not, and has never been, any risk to patient care as a result of this error.”

Following the discovery of the breach, NHS Digital has made the Information Commissioner’s Office (ICO) and the national data guardian for health and care, Fiona Caldicott, aware of the incident. The ICO is currently making inquiries into the breach.

Problem was rectified quickly

NHS Digital’s director of primary and social care technology, Nic Fox, said the problem was quickly rectified and has been “resolved for any future data disseminations”.

“We apologise unreservedly for this issue, which has been caused by a coding error by a GP system supplier [TPP] and means that some people’s data preferences have not been upheld when we have disseminated data. The TPP coding error meant that we did not receive these preferences and so have not been able to apply them to our data,” Fox said.

“We take seriously our responsibility to honour citizen’s wishes and we are doing everything we can to put this right.”

Source: ComputerWeekly