David Higgerson of the Liverpool Daily Post reports:
THE records of hundreds of Merseyside patients have gone missing from the region’s hospitals and surgeries over the past two years.
Many of the incidents – including one where the names, partial addresses and door access codes to sheltered accommodation were taken – have prompted changes in working practices at health trusts across the area.
A number of the patients involved will be unaware their information had been lost. In one case involving Liverpool PCT, a patient only discovered their file was missing after a solicitor asked to see it.
Several of the cases involve data going missing in the post, including one incident where a ripped envelope arrived at its destination without the CD containing patients’ data which had been inside it.
And at one trust, the Countess of Chester Hospitals, records of several patients were found to have been thrown away.
Until now the only reported data breach in the region has been when the personal details of staff at Sefton PCT were accidentally released.
But an investigation by the Daily Post, using the Freedom of Information Act, has revealed the loss of 230 records by health staff in the region.
More than half of the trusts which replied to a request for information confirmed they had lost data.
It is also revealed that the largest data loss – 100 records held on a “memory stick†by Liverpool Primary Care Trust, was not reported to the patients involved.
According to the PCT, the memory stick was lost or stolen in an office, and could not be located.
A spokesman said: “The data stick was encrypted. The appropriate manager completed an incident form and a management report.
“As a result of the loss, procedures were changed and patient information is no longer stored on portable data storage devices.
“The PCT did not inform the patients involved as the data stick was encrypted.â€
The second single largest loss of data was reported by Halton and St Helens Primary Care Trust where a book used by weekend district nurses was “mislaidâ€. It contained names and partial addresses of patients, plus the access codes to get into communal accommodation, such as sheltered housing.
A spokesman for the PCT said: “An extensive search of the locations and offices used by the District Nursing teams was undertaken, but the communication book has not been found at present.
“The communication book contained as routine, the patient’s name and partial address. However, for three patients, there was a four-digit door access code recorded.
“We arranged for their access codes to be changed. In addition, we sent each of those three patients a letter, informing them of the reason the code was being changed.
“As a result of this incident, we reviewed the use of this type of communication book and as a result we have taken it out of operational use.â€
The Royal Liverpool Children’s Hospital – Alder Hey – confirmed it had been forced to remind staff not to take patient files homes after one was stolen. It reported the highest number of data loss cases – five – but each only involved one patient.
Sefton PCT – which had been included on a government list of NHS data losses after staff details were inadvertently released – was one of three organisations to confirm data had gone missing in transit.
Both Alder Hey and the Liverpool Women’s Hospital said documents sent in the regular post never arrived, while Sefton PCT blamed the theft of a courier’s vehicle for files belonging to several children going missing.
A spokesman for Sefton PCT said: “People in Sefton can be confident that the Primary Care Trust looks after patient data very carefully and takes any breach or loss very seriously.
“We have strict policies and procedures about how data is used within the organisation and what happens in the event of an incident.
“The PCT employs the use of an incident reporting system to ensure incidents are reported, fully investigated and that lessons learned are cascaded within the PCT.
“Both incidents were investigated fully and reported to the Strategic Health Authority.â€
Opposition politicians said the cases proved that data losses were now a regular occurrence and not just restricted to several high-profile cases, such as the loss of 25m child benefit files last year.
Shadow health secretary Andrew Lansley said: “The problem is endemic.
“The Government has been serially incompetent in looking after people’s personal data.
“People need to feel like they can trust the Government when they hand over personal data.â€
Joyce Robins, from the patient support group Patient Care, said: “Health records can have anything from your ex-directory phone number to your HIV status.
“I think it’s the tip of the iceberg because there’s such carelessness within the NHS and it’s always impossible to hold anyone to account and find out who’s actually done anything.â€
But a spokesman for the Department of Health said “There is no evidence of any data falling into the wrong hands.
“Patients are informed if it is appropriate to do so. Action will be taken against anyone who has failed to fulfil their legal responsibilities.’’