ICO investigating potential leak of 26m NHS patient records

News by Roi Perez

An "enhanced data sharing" feature in a software named SystmOne in use by a third of NHS practices opens up medical records without patient consent.

Medical records of 26 million NHS patients are believed to be at risk of data theft, as the IT system used by thousands of GP surgeries shares data on patients, according to a press release from the ICO. 

The Information Commissioner is investigating concerns that records held by 2700 practices, a third of the UK total, can be seen by anyone thanks to a computer system used by GPs named SystmOne.

Switching on “enhanced data sharing” in the computer program meant the records could also be accessed by thousands of people across the country including receptionists, clerical staff, healthcare assistants and medics working in pharmacies.  

All of the above can look up sensitive information about individuals - even if there is no medical reason to do so.

Eduard Meelhuysen, head of EMEA at Bitglass told SC Media UK: "This incident shows that even some of the country's most prominent organisations trust in their software providers almost blindly. As for the software provider, the concept of ‘privacy by design and default' comes to mind here. The GDPR states that privacy settings must be set at a high level by default and must be designed into products and services during development process. Without additional data visibility and security tools wrapped around their third party software, organisations will inevitably continue to stumble upon such issues.”

Privacy experts have warned that as patients would not have been told their records were shared in this way, the risk if high of the information being accessed for malicious reasons and may fall into criminal hands.

The head of the British Medical Association's IT committee has written to all GPs who use SystmOne, owned by TPP,  urging them to take “urgent action”.

Doctors have been urged to consider switching off the function, although this would make it difficult to work with local hospitals.

A spokesman for the Information Commissioner told Pulse Magazine: “We do have data protection compliance concerns about SystmOne's enhanced data sharing function. These concerns are centred around fair and lawful processing and ensuring appropriate security in respect of the data held on the system. We have made these concerns clear to TPP and NHS Digital and we are in discussions with them about how these are resolved.”

TPP has said it is “making amendments” to the function to amend this data sharing issue.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews