The Scottish Health Boards have suffered from 806 data breaches between 2009 and 2013. This involves a range of different data breaches from data loss and data leaks to breaches of the Data Protection Act
The figures were obtained and revealed by the Scottish Liberal Democrats through the Freedom of Information requests. What is more concerning is that the total number of data breaches increased from 86 incidents in 2009 to 223 in 2013.
With such a high number of data breaches, there is invariably a wide range of different types of data breaches which makes it much harder for the Scottish Government to implement regulations and to ensure that they are all being adhered to.
Such incidents that have resulted in a data breach within the last five years include documents being sent to the wrong addresses and being left in public places such as in car parks and on public transport. One such incident occurred in NHS Greater Glasgow and Clyde in July 2013 when a folder was fond by a member of the public at a bus stop which contained information relating to 60 patients. The folder was handed in at a nearby hospital.
Such statistics is a cause for concern, especially with the drastic increase of data breach incidents within a five year period. As a result, the Scottish Lib Dems have appealed for the Scottish Government to ensure that the Scottish Health Boards are given adequate support to ensure that confidential data remains secure.
Jim Hume who is a Scottish Lib Dem health spokesman stated, “NHS staff work extremely hard under an enormous amount of pressure but there must be a vigilant approach when it comes to protecting confidential patient information. The Health Secretary must ensure that NHS boards are given the support needed to learn lessons and prevent further breaches of patient confidentiality. We have no choice but to trust the people looking after our families to look after their personal details too.”
Hume added, “Whilst the year-on-year rise in incidents may be due to an increase in reporting, this should make health boards all the more aware of the scale of the problem. In one instance, a patient was given the pregnancy record of another patient. Our figures also show a number of important patient records and notes were lost. Some of those that were found had been left in public places where anyone could have read that private information.”
Hume concluded, “A mistake here or there might not seem much but the bigger picture is one of patient information being lost across Scotland. The Health Secretary must explain what he is doing to address this.”
The Scottish Government has responded and stated that they are already taking action to help reduce the number of data breaches within the Scottish Health Boards.
A spokesman stated, “We take patient confidentiality and security of patient information very seriously and believe any data breach is unacceptable. All health boards are required to have robust procedures in place to secure patient information and staff should be given ongoing training in data protection.”
The spokesman added, “All mobile devices holding any patient data are now encrypted so, even if a laptop is stolen, patient information cannot be accessed; boards are installing a new tool to pinpoint staff who are accessing information they are not entitled to see; and health boards are rapidly moving from paper files to encrypted devices.”
The spokesman concluded by stating, “In the interests of greater transparency and to make data breach statistics easier to interpret, the Scottish Government plans to introduce a severity scale and national reporting mechanisms in line with recommendations made by Dame Fiona Caldicott. This should also lead to more clarity on data breaches and other security matters.”
With such cases, it is very hard to pinpoint why there have been so many data breach cases. It will take time for the Scottish Government’s actions to start making an impact and to see how much they have helped to reduce the number of data breaches.
It is all good and well introducing policies and regulations but the staff need to be educated about data security. This will help them understand the importance of following the regulations and minimise the number if simple mistakes that are made.