Hundreds of patient data breaches are left unpunishedBMJ 2022; 377 doi: https://doi.org/10.1136/bmj.o1126 (Published 11 May 2022) Cite this as: BMJ 2022;377:o1126
NHS data breaches: a further erosion of trust
Hundreds of organisations including pharmaceutical companies, clinical commissioning groups (CCGs), and universities have breached patient data sharing agreements in the past seven years and yet their access to the information is not curtailed, The BMJ can reveal.
Companies, commissioners, and leading universities, including GlaxoSmithKline (GSK) and Imperial College London, have carried out “high risk” breaches according to NHS Digital audits examined by The BMJ. This means that they are handling information outside of agreed data contracts and may be failing to protect confidentiality.
In one instance of a high risk breach, clinical care commissioners allowed sensitive, identifiable patient data to be released to Virgin Care without permission from NHS Digital. When NHS Digital’s audit team tried to get access to Virgin Care to check their compliance, it was denied access for several weeks and the company refused to delete the patient data.
“It is outrageous that private companies and university research teams are failing to comply,” says Kingsley Manning, former chair of NHS Digital. “How is it that these organisations can be so lax with data?”
“These breaches will damage public trust that data are being handled safely and securely,” says Natalie Banner, former lead for the Understanding Patient Data initiative hosted by Wellcome. “The current system is failing to protect data adequately and a major policy shift and investment is needed,” she says.
The BMJ’s analysis of NHS Digital audits found that in the past year 33 organisations were audited and every one had breached data sharing agreements, with hundreds more inspected and found in breach since audits began in 2015.
GSK was found to be at high risk with regard to “compliance, duty of care, confidentiality, and integrity” by NHS Digital’s auditors in December 2021.1 It had breached the terms of its data sharing agreement with NHS Digital in 10 ways. Breaches included allowing four unauthorised GSK data analysts in North America to access the patient data. The company also processed and stored NHS patient data in locations which had not been declared.
The company was re-audited in August 2021 and downgraded to “low risk.” A GSK spokesperson said the company had worked to tackle fully all of NHS Digital’s recent audit findings. They said, “GSK is clear that all patient data was robustly protected at all times.”
A health statistics research unit at Imperial College London2 was also deemed high risk in August 2021. Identifiable, sensitive patient data were not encrypted while in transit between the primary data centre and the back-up site; two doctoral students were given unauthorised access to the data supplied by NHS Digital; and vulnerability scans had not been conducted on the infrastructure, among other breaches.
An Imperial College London spokesperson told The BMJ, “We fully accepted the findings of this audit and quickly put in place an action plan to tackle the matters raised.”
Research teams at the University of Cambridge and Cambridge University Hospitals NHS Foundation Trust3 and the Oxford University Hospitals NHS Foundation Trust and Oxford University’s Nuffield Department of Primary Care Health Sciences4 were found to be at “medium risk” in audits published in February 2022 and November 2021, respectively. Auditors found the Cambridge team was processing patient data on “unencrypted desktop machines.”
A spokesperson for the University of Cambridge said the patient data were not identifiable and that “at no point were patient identifiable data at risk of disclosure or loss.”
The University of Bristol5 and the University Hospital Bristol NHS Foundation Trust, also described as medium risk, were found to have a history of repeatedly breaching data sharing agreements dating back to February 2020, according to a post-audit review published in February 2022.
Steve Gray, chief information officer at University Hospitals Bristol and Weston NHS Foundation Trust, said, “We are committed to working with NHS Digital to provide the necessary assurances around the three outstanding recommendations.” A spokesperson from the University of Bristol added, “We have been subject to numerous NHS Digital audits over the past decade and any points of actions have always been appropriately tackled.”
In a separate high risk instance involving East Staffordshire CCG,6 sensitive, identifiable patient data were released by the CCG’s processors to Virgin Care without permission from NHS Digital.
NHS Digital auditors found that pseudonymised or anonymised data including children’s and young peoples’ mental health data, data about people with mental health learning disabilities, diagnostic imaging, and other confidential patient data were being processed outside of objectives agreed with NHS Digital, at an address which had not been agreed, and without a data sharing contract.
NHS Digital’s audit team was denied access to Virgin Care for several weeks as it tried to get access to check their compliance. Furthermore, Virgin Care was unwilling to confirm to auditors how long it would retain patient data on backup media or where data were being processed or stored, including disaster recovery and backups.
In June 2019 the CCG terminated its contract with Virgin Care and asked it to delete the patient data but Virgin Care refused, a March 2021 NHS Digital audit found.7
“Virgin Care has confirmed that data are now being kept only for the purposes of complying with statutory financial reporting obligations and any audit by a regulatory body,” NHS Digital said. “This is in line with NHS records management requirements. It should be noted that we have not found any evidence at any point that the patient record level data were at risk, nor transferred outside the European Economic Area.”
A spokesperson for Virgin Care, acquired by Twenty20 Capital and re-branded as HCRG Care Group, said East Staffordshire CCG had not updated its documentation regarding the partnership. Virgin Care/HCRG is “an experienced provider” with “strong governance” and “robust data protection in place,” the spokesperson said.
None of the companies, universities, or CCGs had their access to NHS Digital’s data curtailed in light of the breaches. Instead, NHS Digital said it works with the organisations to rectify problems.
Phil Booth, coordinator of campaigning group medConfidential, says there needs to be real consequences if companies, commissioners, and research teams breach their agreements, otherwise data sharing contracts are meaningless. “These contractual requirements aren’t just for fun: a single data breach could include sensitive information about millions of patients,” he said.
NHS Digital has the power to suspend the provision of data but any decision to curtail access to data would “need to be balanced against any negative impact to patient care,” a spokesperson said. CCGs would be unable to commission services if they had to return data, and ceasing access to data for clinical trials would mean their benefits would not be achieved, they added.
“We take our responsibility to safeguard data very seriously and data are only ever shared with organisations that have a legal basis and legitimate need to use it, to improve health and care services, including medical research. Once data are shared, we carry out independent audits and, where necessary, post audit reviews to check that the organisations that we have shared data with are meeting the obligations in their data sharing agreement. If an organisation is non-compliant with their agreement, we work with them to address any problems and conduct follow up audits to ensure they are fully resolved. We can suspend the provision of data, however we will balance this with safeguarding against any negative impact to patient care. If there is a breach of the data sharing agreement then NHS Digital may also require that data provided are destroyed and, if appropriate, in relation to personal data breaches, we may report the organisation to the Information Commissioner’s Office (ICO).”
The ICO said it could not tell The BMJ if NHS Digital had ever reported a pharmaceutical company, university, or organisation for breaching a data sharing agreement because of “the way data are held on its systems.” There are no examples of enforcement action against these entities published on the ICO website.
NHS Digital has plans to provide a trusted research environment (TRE) for organisations wanting to access health and social care data. TREs, which are already used by organisations like the Office for National Statistics and Genomics England, involve data being kept on a secure platform with approved people accessing it remotely and only being able to export analysis rather than individual level data. “This is much more secure and builds an audit ability into the infrastructure, rather than relying on trust through contracts and manual audits,” Banner says.
There are, however, fears about how TREs will work if taken up by the NHS, including how they will be made accountable and transparent. If they become “black boxes controlled by private companies,” public trust may be even more detrimentally affected, Banner says.
Data governance is becoming increasingly important as the government has a strategy to turn Britain into a global data “superpower.”8 The long term plan is to link GP data with other NHS data to inform planning and improve care pathways.8
Building one of the world’s most comprehensive datasets and “putting analytics at the heart of NHS delivery” could yield benefits worth nearly £10bn a year, according to a report from management consultancy Ernst and Young.9
Powers in the government’s Health and Care Act will enable the secretary of state to abolish NHS Digital and allow NHS England to take on its powers and responsibilities. Despite NHS Digital’s shortcomings, many are worried about this change. NHS Digital has statutory independence and has turned down government requests for data that it considers invasive. “The move is alarming,” says Philip Hunt, member of the House of Lords, who made an unsuccessful bid to amend the government’s bill. “NHS Digital is not perfect but by abolishing it you risk removing one of the safeguards we have in the current system.”
“NHS England has so many roles and motivations it is never going to be able to protect patient information in the way an independent body with specific responsibilities to do so would,” he added.
A spokesperson from the Department of Health and Social Care said, “The obligations that NHS Digital currently has to safeguard patient data will become those of NHS England. This will include the same level of transparency as to how data are disseminated and used.”
It will take time to decide on the correct policy and to arrange the new data infrastructure, says Banner. She added, “What’s being done about NHS Digital’s audits and those failures in the meantime?”
CORRECTION: This article has been updated to reflect a longer statement from NHS Digital.
Commissioned and externally peer reviewed.
Competing interests: I have read and understood BMJ policy on declaration of interests and have no competing interests to declare.