NHS has had thousands of personal data breaches since 2019

The NHS has been sharing private data with strangers, in breaches that affect thousands of patients every year.

That's according to The Independent, which says the latest figures from the Information Commissioner's Office (ICO) show that 3,557 breaches of personal data were reported across the British health sector from 1st April 2019 - 31st March 2021 - the majority recorded in the NHS.

However, because organisations are not required to report every data breach to the ICO, the exact number of such incidents is thought to be much higher.

Breaches in the NHS included patients' records being modified without consent and sending their private details to the wrong recipient.

In the two-year period, the NHS notified the ICO of 866 incidents where employees emailed or physically posted a patient's private data to the wrong person.

In particular example, the NHS publicly disclosed an individual's HIV status. In another, the home address of a female patient was sent to people who were not entitled to receive the information.

Other incidents included NHS staff verbally sharing incorrect information, or losing paperwork on laptops or other devices.

In some cases, the NHS was ordered to pay thousands of pounds in compensation because of the errors.

In 2012, the ICO fined the Torbay Care Trust (TCT) £175,000 for a data breach it said was 'entirely avoidable'. The Trust, based in Devon, had published 'sensitive details' of over 1,000 employees on its website in April 2011.

In 2018, a data breach exposed the details of 150,000 NHS patients in England, which the health service blamed on a coding error.

In September 2019, the ICO opened a probe into a data breach at Wrightington, Wigan and Leigh NHS Foundation Trust, after data on more than 2,000 patients was wrongly accessed.

The Ferret sent Freedom of Information (FOI) requests to every NHS board in Scotland in April this year. Those requests showed there had been at least 1,395 breaches over the last two years, with 73 NHS employees facing disciplinary action.

Many boards did not disclose statistics, meaning that total could be higher.

The Ferret said it sent its requests following a data breach in which a radiographer accessed the private records of over 200 female patients before stalking them. The radiographer worked at hospitals in Lanarkshire and Ayrshire, where he used his position to access the files and record patients' contact details.

"Properly utilising NHS data can improve healthcare and will benefit patients, but without proper safeguards patients can also be harmed," shadow health minister Alex Norris said.

"These breaches are concerning, and show exactly why it was so important to delay the GP DPR (General Practice Data for Planning and Research) process instead of rushing it through."

"The government and NHS Digital must now use this extra time wisely to consult with the public and act upon what they learn."

The latest ICO figures on NHS data breaches come about a month after the government announced that it was delaying the plan to extract patient data from GP records until 1st September, to allow an opportunity for further communication.

NHS Digital, the IT and data services arm of the NHS, announced the General Practice Data for Planning and Research (GPDPR) initiative in May 2021. The intent is to transfer data from patient records in England, created up to 10 years ago, in 'near real time'.

The data will be used for a 'wide variety of research and analysis to help run and improve health and care services.'

However, many privacy groups, who were not happy with the plan, demanded an extension to the opt-out deadline.

The Labour Party also called for a public consultation to alleviate medical professionals' concerns.