The powers of UK privacy watchdog, the Information Commissioner's Office (ICO), have also been called into question after it failed to take punitive action over the breaches.
According to the BBC, Birmingham-based company Diagnostic Health Systems - which carries out ultrasound scans for the NHS – was guilty of several data privacy breaches last summer, including failing to report the theft of a company laptop, staff sharing the same password to access files, emailing GP referrals directly to staff inboxes with no audit trail, and being unable to delete personal data from an ex-consultant's laptop.
These lapses were reported to the NHS by a whistle-blower and then passed on to the ICO.
The BBC says the ICO's subsequent audit of Diagnostic Health confirmed the breaches, but the watchdog refused to publish this audit – despite a Freedom of Information Act request – and then in March this year said it would take “no further action” against Diagnostic Health.
The company has now been declared compliant with data privacy rules and is again able to provide services to the NHS.
An ICO spokesperson confirmed to SCMagazineUK.com that it did audit Diagnostic Health Systems – but defended its decision not to publish the findings (which were leaked to the BBC) and to not penalise Diagnostic Health, after it improved its safeguards.
In an email to SC, the spokesperson said: “The audit was carried out with the organisation's consent and they requested that the audit summary for the report should not be published.”
He explained: “The ICO carries out audits with organisations to assess whether they are following good data protection practices and looking after people's information correctly. We have limited compulsory audit powers and so the vast majority of audits require consent.”
The ICO said that following its audit, Diagnostic Health Systems has acted on its recommendations for improving the way it handles personal information, and “we are happy with their progress so far.”
But industry expert and leading CISO, Amar Singh, criticised the ICO's limited powers, as well as Diagnostic Health's approach to privacy.
He told SC UK: “This case of complete and utter disregard for what is sensitive personal information demonstrates the need for strengthening the powers of the ICO. I am normally in support of self-regulation but these types of cases are a constant reminder of the need for punitive regulations. The current lack of power and mandate of the ICO is quite shocking.”
Singh also said Diagnostic Health showed a “truly shameful level of negligence and disregard for patient personal data - not reporting a breach to the ICO, sharing passwords etc.”
“Most of the missing controls fit into the common sense category, cost-effective controls within the reach of every company.”
Meanwhile, Edward Savage, an IT security expert at PA Consulting Group, said the case highlighted the need for organisations to focus on improving individuals' understanding of cyber security.
He told SC UK via email: “The NHS has some good information security policies and guidance. However, all organisations are open to unthinking acts by people - who may not always be staff - who have access to information for their job, but who do not realise how easy it is for this information to be compromised.
“Expensive technical solutions are often sought, but the more effective and most sustainable option is to help people to do the right thing. Driving the right behaviours is not just about creating awareness, but about embedding security thinking into normal routines.”
The NHS body that bought services from Diagnostic Health, Stafford and Surrounds Clinical Commissioning Group (CCG), told DSC UK via email that now the company has implemented new processes: "The CCG is satisfied that the service is safe to be reinstated. As a result the CCG is currently negotiating a new contract with Diagnostic Health."
SC UK contacted Diagnostic Health for its views, but it did not respond by time of writing. The ICO also did not wish to comment further. None of the organisations contacted by SC questioned the accuracy of the BBC's report.
In March, the government promised the ICO new powers to carry out compulsory audits on health service bodies but these do not come into force until the autumn.
The revelations over Diagnostic Health coincide with the publication of a Government review into the data sharing practices of the now defunct NHS Information Centre – launched in the wake of the debacle over the Government's £50 million ‘Care.data' scheme to gather the electronic patients records from every GP practice in England, which was shelved for six months in February, over fears that people had not been properly informed of the plan or their right to opt out.
The review by Sir Nick Partridge, a non-exec director of the Health and Social Care Information Centre, has confirmed “lapses in the strict arrangements that were supposed to be in place to ensure that people's personal data would never be used improperly”. It makes a series of nine recommendations to improve control over data sharing.