Tinkering NHS staff have mistakenly disclosed sensitive data hundreds of times in the past two years.
Never-before-seen data, obtained by MailOnline, reveals that there have been 1,600 data breaches in the health service across the UK since 2021.
Offenses include staff faxing or emailing sensitive details to the wrong person and leaving documents behind.
Cyber attacks and people gaining unauthorized access to potentially sensitive data were also blamed.
The figures, which come from a freedom of information (FOI) request, only look at breaches by incident, not by the number of people affected.
The ICO has investigated seventy-five NHS bodies for data breaches since 2021. Such investigations do not necessarily mean that personal data has been exposed or that NHS organizations have been at fault, and many investigations conclude that “no action is required.” additional” or that only ICO advice was provided. However, five NHS bodies received formal reprimands as a result of the investigations.
MailOnline’s investigation, which will run until January 2023, revealed that the most common breach was someone gaining unauthorized access to people’s personal data (335 incidents). More than 250 of the recorded incidents were related to staff faxing or posting data to the wrong recipient. Another 174 violations related to documents sent by email to the wrong person
It means, in theory, that thousands more patients may be affected than figures from the Information Commissioner’s Office (ICO) suggest.
The exposure of this website comes just days after it was revealed that more than 40 million voters may have had their data stolen in the biggest data breach in UK history.
The Electoral Commission revealed on Tuesday that ‘hostile actors’ had access to its systems for 14 months without being detected.
Police in Northern Ireland admitted, the same day, that they were also at the center of a data breach of “monumental proportions”.
Data on thousands of officers and civilian personnel was mistakenly released in response to a freedom of information request.
Meanwhile, NHS Lanarkshire in Scotland was officially reprimanded last week by ICO bosses after staff shared patient data in an unsecured WhatsApp chat.
Earlier this year, another NHS body received a slap on the wrist for accidentally sharing patients’ HIV status, while a London trust was fined nearly £80,000 for a huge email error.
MailOnline’s investigation, which will run until January 2023, revealed that the most common breach was someone gaining unauthorized access to people’s personal data (335 incidents).
More than 250 of the recorded incidents were related to staff faxing or posting data to the wrong recipient. Another 174 violations were related to documents being emailed to the wrong person.
Five ransomware attacks and nine phishing scams were also discovered.
Phil Booth, coordinator of medConfidential, which campaigns for patient confidentiality, said the figures show a “shocking series of avoidable errors and harm.”
He said: “We cannot know that each affected patient was actually informed, as the ICO does not make sure that happens in a meaningful way.”
The lack of data security within the NHS has resulted in heavy penalties in the past, with trusts fined for losing patient records, staff sharing patient information on WhatsApp and failing to ensure data is protected with password.
FOI data also shows NHS staff lost or had devices/documents stolen 224 times, with one incident in 2022 involving ‘brute force’.
Workers also verbally disclosed private information, such as discussing a patient’s private medical information in a public room, 101 times.
Alteration of personal data was one of the rarest incidents with just 11 cases in three years, although the ICO figures did not record whether the changes made were accidental or intentional.
Thirty-six breaches centered on NHS staff failing to hide individual emails from recipients.
The Tavistock and Portman NHS Foundation Trust, famous for hosting the health service’s Gender Identity Development Service, the UK’s only transgender service for children, was fined £78,400 for such an incident in July last year.
The Trust emailed 5,000 patients about an art competition. While people opted in to receive emails, staff did not properly hide their information, resulting in the email addresses of about 1,780 people being exposed to other recipients.
The Trust was among 75 NHS bodies investigated by the ICO for data breaches since 2021.
Such investigations do not necessarily mean that personal data was exposed or that the NHS organization was at fault.
Lack of data security within the NHS has resulted in stiff fines in the past, with trusts fined for losing patient records, staff sharing patient information on WhatsApp and failing to ensure data is password protected.
Many investigations concluded that ‘no further action was required’.
However, five NHS bodies received formal reprimands as a result of the ICO investigations.
Epsom and St Helier University Hospitals NHS Trust received two.
One related to an incident during the pandemic, where a data entry error caused staff to incorrectly mark themselves as having the virus. As a result, NHS Test and Trace told them, as well as their close contacts, to self-isolate.
This led to the cancellation of multiple surgeries and the closure of several schools and day care centers in the local area.
One of the most shocking rebukes was issued to NHS Highland in Scotland this year.
He was referring to an incident in 2019 where the Trust sent mass emails to 37 people who had recently accessed its HIV services, but failed to mask the email addresses properly.
At least one patient was able to recognize four other people by their email addresses, one of whom was a previous sexual partner.
Other NHS bodies that have issued reprimands in recent years include the Bridgewater Community Healthcare NHS Foundation Trust in North West England, the Warrington and Halton Hospitals NHS Foundation Trust in Warrington and the national health services body NHS Blood and Transplant.
The trust with the most ICO investigations was the Homerton Healthcare NHS Foundation Trust, with seven in total since 2021.
All of these were cyber-related incidents, and a trusted spokesperson told MailOnline that they were all related to phishing hackers.
However, a spokesperson for the Trust said they have now taken steps to improve the security of their data.
“Earlier this year, we increased our resilience to these incidents by rolling out multi-factor authentication to all NHSmail accounts,” they said.