Welcome Guest | Login | Register | Why Register? |
Newsletter RSS Twitter
09 February 2010 | 11:00 GMT

E-Health-Insider E- Health Primary Care E-Health Jobs (UK only) E-Health Insider Events
HOME | CONTACT | NEWS | DOCUMENT LIBRARY | FEATURES | OPINION & ANALYSIS | EVENTS | RESEARCH REPORTS | CASE STUDIES

Private medical records offered for sale

20 Oct 2009

Medical records of patients treated at a private British hospital, The London Clinic, have been illegally sold to undercover investigators.

The revelations were made in ITV’s Tonight Programme report, Health Records For Sale, broadcast last night.

The programme reported that hundreds of files containing details of patients’ conditions, home addresses and dates of birth were offered to undercover reporters for just £4 each by sales executives from India, contacted online. 

The records offered for sale appear to have been medical records that consultants working at the London Clinic, the hospital processes its own records internally, who contracted with a firm called DGL (DGL) Information Technologies UK to digitise their records.

DGL is then claimed to have sub-contracted to another firm, Scanning and Data Solutions (SDS), which scanned them into computers in the UK. SDS in turn is said to have sub-contracted further work on the files to a company in Pune, India, which had signed tight confidentiality agreements.

Only the records of private patients were covered, with no NHS patient records involved. The ITV show said the majority of patients had been treated by consultants using facilities at the London Clinic.

The files were sold by two men who claimed to have gained access to the information from IT companies in India. The security breach was claimed to occur at a transcription centre in India responsible for digitising medical notes and records.

The reporters bought more than 100 records belonging to UK patients but were told they could obtain up to 30,000 more on demand. Confidential records were offered by condition such as particular cancers.

Of 116 files bought by ITV, 100 of which were confirmed as genuine, were for patients who had been treated in private hospitals. Although not NHS records they did contain some NHS data, including referral letters from GPs.

Sally Anne Poole, head of investigations at the Information Commissioner’s Office, told the Daily Mail: “We are very concerned that private patients’ medical records are on sale in India. The ICO will establish the full facts and will then decide what action, if any, needs to be taken.”

Chris Rogers, the programme’s presenter, made contact with the two salesmen in an internet chat room by posing as a marketing executive keen to buy medical records, which he said he would use to sell health products.

One patient whose record was affected by the security breach said in the documentary that the data breach was ‘one step up from grave-robbing’.

Jon Hoeksma

© 2009 E-HEALTH-MEDIA LTD. ALL RIGHTS RESERVED.

Reader's Comments
Add a comment
Reader's Comments

1

Offshoring data entry presents numerous security challenges

20 Oct 09 16:10

The Tonight team should be commended for exposing with their report a shocking abuse of NHS confidential patient data, but we must not fall into the trap of labelling this as just an NHS problem, as we have seen how lax controls and monitoring of both workers and their access to key systems can put data security at risk. Offshoring data entry presents numerous security challenges for any organisation, regardless of whether they are public or private sector.

Organisations that lack the controls to manage user access often run into problems with staff acquiring access rights to data and software that may exceed their role, or gaining access to systems without detection. As well as the potential for malicious damage or data theft, the risk of accidental damage and deletion of data is raised considerably.

For any company involved in outsourcing data entry, it is essential that clear processes and policies are in place not only for monitoring the physical activities at the offshore location, but also to ensure that access to key information systems by those offshore workers is appropriately managed, provisioned and monitored by the IT department.

Stuart Hodkinson, UK general manager, Courion (www.courion.com)

2

We shouldn't label as an "NHS problem" because it isn't...

22 Oct 09 09:10

We shouldn't label this as an "NHS problem" at all, because it isn't. At least that would be misleading in this case, the article is clear that this is a private medical organisation who have outsourced their IT solutions without due care.

We cannot ignore the fact that NHS organisations will face the same security challenges as any other organisation, but the only role played by NHS organisations in this story is simply as a source of records which will, without a doubt, have been passed to the private organisation upon the patient's request. The records belong to the patient at the end of the day, and there is nothing that the NHS or anyone can do to protect what patients do with their own information explicity.

I think that most with a reasonable understanding of Information Governance (IG) aims within the NHS would agree that it would have been less likely that this would have happened to NHS-held records; the data-entry would have been completed by staff employed by the NHS organisations themselves, and I think you would find that contact with patient data would be avoided by most NHS system suppliers wherever possible...

I think the question here is how this particular private practice (and possibly others) has managed to put their patients' data at risk when there are strict IG guidelines provided by NHS Connecting for Health which they should be following as NHS organisation would. And how did patient data managed to get passed through three sub-contracted companies without being picked up.

3

Agreed ...

22 Oct 09 11:10

At least they know there is a reliable backup of all their records, with a patient retrieval fee of only £4. And probably quite safe: the current holders of this backup will protect their valuable charge carefully - it is hard to see THEM being so careless with the data!

8¬)

4

What happens to the DPA whith sub-contractors?

maryhawking@tigers.demon.co.uk

02 Nov 09 08:11

Medical records are not the only ones put at risk by contractors or sub-contractors sending them outside the protection of UK law: remember the learner drivers whose data was lost/misappropriated in Omaha? (The blatant marketing may be something new) Doesn't the DPA forbid export of data covered by DPA to countries without legal protection equivalent to that in the UK - and this includes both India and the USA?

Why is it that, if I am right about this, haven't there been any well-publicised prosecution of contractors or sub-contractors for breach of DPA?

Tags
Tags

Past: 24 hrs|7 days|Month

Newsletters
More
Newsletters
No 96 - 13 Aug 2009
No 95 - 06 Aug 2009
No 94 - 29 Jul 2009
No 93 - 22 Jul 2009
No 92 - 15 Jul 2009
Research reports
Research reports
06 Oct 09

C5: 3C Healthcare Parternship

27 Jul 09

C5: InterSystems

03 Jun 09

C5: Cambio

03 Jun 09

C5: CSE Servelec

12 May 09

C5: Agfa HealthCare

Country focus
More
Country focus
About Us | Advertise | Privacy Policy | Terms & Conditions | RSS Feed
E-Health Europe is managed and maintained by E-Health-Media.com ©2010 E-Health-Media Limited.