According to an independent parliamentary audit, an NHS contractor failed to deliver hundreds of thousands of medical documents, putting the health of over 1,700 patients at risk.
The National Audit Office (NAO) report released on 27 June listed a catalogue of errors that led to the stockpiling of “just under 209,000 items of unprocessed correspondence”.
NHS Shared Business Services (SBS) had contracts with trusts in the east midlands, north-east London and south-west England. Most of these contracts included a service to forward misdirected clinical correspondence. The auditors claimed that NHS SBS failed to do this on a massive scale between 2011 and 2016, and kept the blunder quiet for two years.
The report outlines that NHS SBS failed to register the importance of the data it was handling.
The following exerpt shows the complete disregard of information security:
The files were stored in a room labelled ‘clinical notes’. A subsequent review found that the label had been removed by an SBS general manager because ‘you don’t want to advertise what’s in that room’. NHS SBS told us that it was important that documents were held securely and therefore not having a label on the door was appropriate as part of this.
The number of cases could potentially rise from the 1,788 reported, as doctors are still reviewing the 200,000 records.
According to the NAO, the cost of the incident will be at least £6.6 million for “administration alone”, with the NHS likely have to pay some of that figure. It is also said that this incident is proof of the urgent need to accelerate efforts digitise the NHS.
Reduce your security risk exposure with information security staff awareness training
Information security is critical within the business environment. Enrol your staff on our Information Security Awareness E-learning Course so that they gain a better understanding of information security risks and compliance requirements. Minimise the risk of human error by ensuring non-technical staff are familiar with security awareness policies and procedures in order to better protect information assets.