NHS glitch exposes 150,000 private patient records

July 5, 2018

I know, there are tons of user agreements to dig through, but most of the time, when we tick off that “opt-out” box. We are confident that our private data is safe and sound. However, as proven time and time again, all it takes is a single software glitch to compromise your data. Whether it’s your financial information or your private health data. It seems like nothing’s completely safe anymore.

Context

The U.K.’s National Health Service (NHS) is blaming a software coding error for its latest data breach. A breach which led to the exposure of the personal records of around 150,000 patients. The affected patients have reportedly requested a processing type called “Type 2 objections,” (also known as Type 2 opt-outs). With this selected, their health data should only have been privately used to provide them with care. Unfortunately, a glitch caused this request to be omitted by NHS’s systems. Moreover, the supposedly private data was inadvertently used in clinical audits and research. NHS Digital stated the system provided by clinical software developer TPP contained a “defect”. A defect in the processing of the patients’ objections to the sharing of their confidential health data.

The glitch

The software issue caused all 150,000 Type 2 objections sent between March 2015 and June 2018 to be ignored, and they were, in fact, not sent to NHS Digital. It means the opt-outs were not upheld by the NHS at this time. Indeed, when the data was distributed between April 2016 and June 2016 and the patients’ personal records were used without the necessary authorization. This issue has been rectified in a written statement. The Parliamentary Under-Secretary of State for Health Jackie Doyle-Price stated, “since being informed of the error by TPP, NHS Digital acted swiftly and it has now been rectified.” NHS Digital also informed the Department of Health and Social Care of the system glitch on June 28. The department has started sending notices to the affected patients concerning the issue. They are also reassuring them that the opt-outs are now in effect. Doyle-Price also stated that no patient was put at risk because of the software glitch. Additionally, the U.K.’s new National Data Opt-Out system should prevent this kind of error from happening again.

Reaction

“As part of our commitment to the secure and safe handling of health data, on 25 May 2018 the Government introduced the new national data opt-out. The national data opt-out replaces Type 2 objections,” Doyle-Price wrote in an official statement. Doyle-Price added that with this new system, patients have more direct control over their data privacy settings. And “therefore will prevent a repeat of this kind of GP systems failure in the future.” Interestingly, this new opt-out system was launched on the same day as the new European GDPR data protection rules took effect. For their part, TPP apologizes for the error. It will continue to work with the NHS to ensure that these kinds of errors will not happen again. However, this incident is yet another reminder that the privacy of our data is susceptible to system errors that are beyond our control.