Hundreds of organisations failing to protect patient’s ‘high-risk’ data, says BMJ

Hundreds of organisations have breached patient data-sharing agreements in the past seven years, an investigation by the BMJ has revealed. Despite these “high-risk” breaches, none of the organisations has had its access to patient data withdrawn.

Companies, clinical commissioning groups (CCG) and leading universities – with Imperial College London (ICL) and GlaxoSmithKline (GSK) among the offenders – were handling information outside of agreed data contracts and may still be failing to protect patient confidentiality, the journal said, based on the examination of NHS Digital audits.

In one case, clinical care commissioners allowed sensitive, identifiable patient data to be released to Virgin Care without permission from NHS Digital. When NHS Digital’s audit team tried to check Virgin Care’s compliance, the company denied access for several weeks and even refused to delete the patient data after the termination of the contract with the CCG.

“It is outrageous that private companies and university research teams are failing to comply,” says Kingsley Manning, former chair of NHS Digital. “How is it that these organisations can be so lax with data?”

A spokesperson for Virgin Care told the Guardian it had “robust data protection in place”.

In the past year alone, every one of the 33 organisations audited by NHS Digital was found to have breached data-sharing agreements, with hundreds more inspected and found in breach since audits began in 2015. The data released included mental health records of children and young people, including that of patients with learning disabilities.

“These breaches will damage public trust that data are being handled safely and securely,” said Natalie Banner, former lead for Wellcome’s Understanding Patient Data initiative. “The current system is failing to protect data adequately and a major policy shift and investment is needed.”

In another instance, GSK was found to be at “high risk” with regard to “compliance, duty of care, confidentiality, and integrity” by NHS Digital’s auditors in December 2021, having breached the terms of its data-sharing agreement with NHS Digital in 10 different ways. The breaches identified by NHS Digital included allowing four unauthorised GSK data analysts in North America to access the patient data, as well as the processing and storing of NHS patient data in undeclared locations.

GSK was re-audited in August 2021 and downgraded to “low risk.” A GSK spokesperson said the company had worked to tackle fully all of NHS Digital’s recent audit findings, stating that “all patient data was robustly protected at all times.”

Also in August 2021, a health statistics research unit at ICL was deemed “high risk” after failing to encrypt identifiable, sensitive patient data while in transit between the primary data centre and the backup site. Moreover, two doctoral students were given unauthorised access to the data supplied by NHS Digital and vulnerability scans were found to not have been conducted on the infrastructure, among other breaches.

An ICL spokesperson told the BMJ: “We fully accepted the findings of this audit and quickly put in place an action plan to tackle the matters raised.”

These instances are only two of the hundreds of data breaches identified by the BMJ. Research teams at the University of Cambridge; Cambridge University Hospitals NHS Foundation Trust; the Oxford University Hospitals NHS Foundation Trust, and Oxford University’s Nuffield Department of Primary Care Health Sciences were all found to be at “medium risk” in audits published in February 2022 and November 2021, respectively.

Auditors found the Cambridge team was processing patient data on “unencrypted desktop machines.” The university has denied the claims, saying that the patient data were not identifiable and that “at no point were patient identifiable data at risk of disclosure or loss.”

The University of Bristol and the University Hospital Bristol NHS Foundation Trust are also described as “medium risk”, having been found to have a history of repeatedly breaching data sharing agreements going back to February 2020.

Steve Gray, chief information officer at University Hospitals Bristol said: “We are committed to working with NHS Digital to provide the necessary assurances around the three outstanding recommendations.”

A spokesperson from the University of Bristol added: “We have been subject to numerous NHS Digital audits over the past decade and any points of action have always been appropriately tackled.”

Despite the volume of data breaches, NHS Digital has made no attempt to curtail the investigated organisations’ access to patient data. NHS Digital said it was working with the organisations to rectify problems and stressed that any decision to curtail access to data would “need to be balanced against any negative impact to patient care.”

Phil Booth, coordinator of medConfidential decried this approach. “These contractual requirements aren’t just for fun,” he said. “A single data breach could include sensitive information about millions of patients”.

NHS Digital has the power to report an organisation to the Information Commissioner’s Office (ICO) if there has been a personal data breach. However, the ICO told the BMJ it could not reveal if NHS Digital had ever reported a pharmaceutical company, university, or organisation for breaching a data-sharing agreement. 

There are no examples of enforcement action against these entities published on the ICO website.

Data governance is becoming increasingly important in the UK, as the government strives to turn Britain into a global data ‘superpower’. To achieve this, the government has revealed its plans to link GP data with other NHS data to inform planning and improve care pathways, as well as abolish NHS Digital, allowing NHS England to take on its powers and responsibilities.

These changes could yield benefits worth nearly £10bn a year, according to a report from management consultancy Ernst and Young. However, there are fears about the impact that these decisions will have on the protection of patient data.

“The move is alarming,” said Philip Hunt, member of the House of Lords. “NHS Digital is not perfect, but by abolishing it you risk removing one of the safeguards we have in the current system.”

It will take time to decide on the correct policy and to arrange the new data infrastructure, according to Banner, adding: “What’s being done about NHS Digital’s audits and those failures in the meantime?”