Medical records of Norfolk patients found in a petrol station, a King's Lynn restaurant and on the pavement
PUBLISHED: 07:34 16 August 2017 | UPDATED: 08:05 16 August 2017
Patients' confidential details have been left in a restaurant, found on pavements and emailed to the wrong people in hundreds of data protection breaches in Norfolk and Suffolk's NHS.
The region’s hospitals have dismissed staff and said they are tightening up how they look after patients records in the wake of the breaches.
More than 650 data protection incidents were reported in the region’s NHS trusts last year, according to data obtained by this newspaper through the Freedom of Information Act.
At the Queen Elizabeth Hospital in King’s Lynn the number of data protection breaches has almost doubled since 2014/15 to 212 last year.
In the last three years, ten breaches were so serious they had to be reported to watchdog the Information Commissioner’s Office (ICO) to investigate.
The breaches included a staff member finding a ward handover sheet with the confidential details of 35 patients on at a petrol station in 2015/16.
Last year another member of staff found the details of 12 patients on a document left at a local restaurant.
Patients’ private information has also been found on sheets lying on the pavements and streets around the hospital three times in the last two years.
But it’s not just paperwork which has led to patients’ information being shared with the wrong people.
The hospital also sent equipment to an auctioneer which had unencrypted patient data on it that same year.
Although the vast majority of the 212 incidents reported by the hospital last year were classed as a “near miss”, 11 caused “harm” according to the hospital.
Director of Strategy and IT at the QEH Jon Wade said: “Clearly, it is unacceptable that there have been a number of cases in which patient information has not been looked after to the standards which we would normally expect.
“We have had an internal drive to reduce the number of incidents by raising awareness of the importance of this issue to staff.”
No staff members have been dismissed or suspended for the breaches, but at the Norfolk and Norwich University Hospital (N&N) seven staff resigned after data protection breaches.
Another 15 had “formal action” taken against them, while four cases are currently being investigated.
Breaches included documents lost in transit, patients confidentiality being breached and paperwork being stolen.
Four cases were referred to the ICO by the hospital in the last two years, while 200 cases were investigated last year by the hospital.
That included 97 breaches of patient confidentiality.
There were 31 breaches from records going missing and 10 for unauthorised access or use of password.
A spokesman for the N&N said: “Safeguarding our patient information is of high importance. We have robust systems in place to ensure all staff have received information governance training which covers data protection training. A thorough induction is given to all new employees when they join the Trust.”
Alex Stewart, chief executive of patient group Healthwatch Norfolk, said: “It is concerning that there are these breaches. Any patient information loss is worrying. We need to be as vigilant as we can be.”
The James Paget Hospital in Gorleston said just four data protection breaches were investigated in the last three years and reported to the ICO.
All four related to ward handover sheets which contained confidential patient information.
Two sheets were found in rubbish bins while one was mistakenly given to a patient.
Director of Governance at the James Paget Anna Hills said all staff received regular training to protect patient information.
Meanwhile, the Norfolk and Suffolk Foundation Trust (NSFT), which provides mental health services across the region, has investigated 41 data protection breaches since 2014 - and the number has tripled since that year from seven to 22.
But just two cases needed to be referred to the ICO in the last two years.
Breaches included sending confidential patient information to the wrong patient.
Leigh Howlett, NSFT’s director of strategy and resource, said: “All our staff are required to undertake mandatory information governance training on a yearly basis and it forms a key part of our Trust’s induction programme,” she said.
The Norfolk Community Health and Care Trust (NCH&C) said it had investigated 165 “information governance incidents” last year and more than 500 over the last three years.
But only one was serious enough to report to the ICO.
That was when a staff member left a patient visiting sheet on the front seat of a car by mistake.
The NCH&C did, however, suspend three members of staff in 2015/16 for data protection breaches and five in 2014/15.
A spokesman said they used a “wide range of measures” to promote security awareness.
•Staff pried on patient records
Hospital staff have been dismissed and suspended in Suffolk for looking at patients’ confidential medical information.
At Ipswich Hospital nine data protection breaches were serious enough to be reported to watchdog the Information Commissioner’s Office (ICO) over the last three years.
That included five times when staff at the hospital unlawfully obtained personal data, the hospital said. One staff member was dismissed in 2015 for that.
And “HR Action” was taken against another three other staff members.
Another disciplinary investigation is currently ongoing after a staff member again unlawfully obtained personal data.
The hospital reported 72 data protection breaches in 2015/16 and 40 last year.
West Suffolk Hospital said it had reported one breach to the ICO in the last two years, while Suffolk Community Healthcare said it had not reported any data breaches to the ICO.
•Five of the most serious breaches
The most serious data protection breaches are referred to the Information Commissioner’s Office (ICO) which investigates and decides whether to take any action against the hospitals.
Over the last three years which we asked the NHS trusts for information for, the most serious breaches were:
•Two occasions when the N&N hospital lost information in transit
•At the James Paget Hospital a ward handover sheet with patient information on was accidentally given to a patient.
•At the QEH the details of 33 patients were found on a document on a pavement outside the hospital last year - the third time in two years an incident like this had occurred.
•Also at the QEH unencrypted patient data was sent to an auctioneer but found before it was sold in 2015/16.
•Finally at the QEH, the details of 12 patients was found on a document in a local restaurant.
An ICO spokesperson said: “The health sector handles some of the most sensitive personal data, and patients have the right to expect that their information will be looked after.”