The NHS has suffered more than 7,000 data breaches in the last three years, a rising volume of incidents that will only be tackled when prison sentences are handed down for serious offences, a study by campaign group Big Brother Watch (BBW) has argued.
After analysing Freedom of Information (FoI) requests sent to health trusts and authorities (including Scotland and Northern Ireland), a 92 percent response rate uncovered a total of 7,255 incidents that breached the Data Protection Act (DPA) severely enough for staff to be disciplined.
This was equivalent to an average of 2,481 breaches per year, or six every day, a dramatic rise compared to the three years prior to 2011 when a similar BBW study recorded only 806 incidents.
Breaking these numbers down by cause, 103 related to data theft or loss, 236 where data was inappropriately shared by letter or email, 251 with an unauthorised third party, and 124 were caused by an issue with IT systems.
In fifty cases, data was shared on social media, on 143 occasions data was accessed for 'personal reasons', and on 115 occasions staff were found to have accessed their own records.
This resulted in 32 staff resigning during disciplinary proceedings including 1 pending court case for a DPA breach, BBA reported.
The organisation also lists the ten worst offending Trusts, starting with South West Yorkshire Partnership NHS Foundation Trust (869 breaches), Taunton and Somerset NHS Foundation Trust (546), Cambridge University Hospitals NHS Foundation Trust (534), Northamptonshire Healthcare NHS Trust (346), and Bradford District Care (280). Mental health establishments seem to be a particular weak point.
The number of breaches underlined the difficulties faced by the care.data scheme, a programme designed to share patient health information across England, which many NHS users now had concerns about, BBW said.
"The information held in medical records is of huge personal significance and for details to be wrongly disclosed, maliciously accessed or lost is completely unacceptable," said BBW's director, Emma Carr.
"With an increasing number of people having access to patients' information, the threat of data breaches will only get worse. Urgent action is therefore needed to ensure that medical records are kept safe and the worst data breaches are taken seriously."
The failings underlined the limitations of the Data Protection Act, soon to be superseded in some of its provisions by the forthcoming EU General Data Protection regulation (GDPR) sometime after 2015.
Sanctions should also be tougher, with courts able to hand down prison sentences where necessary with serious offenders being given criminal records to avoid repeat incidents, she said.
However not all the abuse was deliberate and poor training was a root cause in some incidents.
Sign up for Computerworld eNewsletters.