back to article NHS patient letters meant for GPs went undelivered for years

The NHS has been accused of covering up a large data loss involving the loss or mislaying of more than half a million pieces of confidential information. Confidential medical correspondence – including test results, diagnoses and treatment plans – between GPs and hospitals went undelivered during the five years from 2011 to …

Anonymous Coward

FTFY

> Physical data is inherently less secure than digital - it's difficult to trace, goes missing easily and is often open to interference

Physical data is inherently more secure than digital - it's easier to trace, difficult to forge or alter without detection, and requires a conscious effort to destroy.

And when it goes missing, it will finally turn up in a warehouse somewhere, rather than go straight to the great bit bucket in the sky.

That's why we still use physical ballot slips for voting.

62
1
Anonymous Coward

Re: FTFY

Yes because its not easy to use a smartphone to record peoples details whilst these carts are left unattended.

If people had common sense I would probably all for it but from what I have seen people are just lazy.

0
0
FAIL

Re: FTFY

I was going to say, does Tony Pepper live under a rock? He must have missed the countless memos on digital breaches over the last 5 years...

5
0

Re: FTFY

Physical records are easy to be burned, flooded or otherwise tampered with, lost or god knows what; no audit trail either.

These paper records need to be forgotten about as a bad idea. They're not easy to share to start with. That's not to say that records shouldn't be tightly controlled.

Yes there are risks regarding information security, but I do know of Dr's practices that have burned down with loss of (illegible) records - isn't that a massive clinical risk? I think so.

SD

2
1
Silver badge
Facepalm

'What's that, Lassie? You say that the NHS couldn't handle data safely if it were all engraved on stone slabs each chained up inside a nuclear bunker and yet they want to build a national database where they can sell off pseudo anonymised data sets that are demonstrably commonplace to circumvent?'

37
2

Access by clinicians and other nhs staff has separate levels of access and is logged and checked. Not so for private service providers, who all have a cavalier attittude to data handling. There have been many detected, and punished (instant dismissal) cases of access to personal data for personal reasons among the very large number of private providers. One person was dismissed for verbally informing a patients friends that she was attending a sexual health clinic (she was a cleaner at the clinic). With such a large amount of staff, problems will always occur. Each person accessing an nhs system has a personal access card.

2
0
Anonymous Coward

There have been many detected, and punished (instant dismissal) cases of access to personal data for personal reasons

And plenty of cases where nothing more was done than a slap on the wrist, like the doctor who accessed Gordon Brown's medical records just out of curiosity. That case was detected, but how many are not?

0
0
Silver badge

Do tell

"...the doctor who accessed Gordon Brown's medical records just out of curiosity".

And? So is he actually human or not? Don't keep us dangling!

0
0
Silver badge

"Access by clinicians and other nhs staff has separate levels of access and is logged and checked."

Not nearly as well as you may think. It's only logged and checked if using the official NHS interfaces.

Direct file reading or database queries are not logged or checked.

0
0
Anonymous Coward

"[This} raises new questions about why the NHS is still relying on physical data records,"

Possibly related?

http://www.theregister.co.uk/2017/02/27/contractors_begin_mass_exodus_ahead_of_ir35/

4
0
Anonymous Coward

I was going to say that the NHS's ability to manage their external suppliers is second to everyone, but actually this asymmetric relationship seems to be the basis for all public-private partnerships.

10
0
Silver badge

It's not immediately clear whether or not what happened falls under the remit of data privacy

It's not clear (to me, anyway) that any of the data protection principles have been violated. But physical printouts or letters produced by computer are subject to controls similar to those for digital data.

2
0

"Personal data shall be accurate and, where necessary, kept up to date."

They fail that principle by archiving 200000 change of address forms, ignoring the information in them leads to their customer records being out of date.

"Personal data processed for any purpose or purposes shall not be kept for longer than is necessary."

5 years is far longer than is necessary.

5
1

"5 years is far longer than is necessary."

No actually. Most hospital records have to be retained for 8 years after the last treatment or the death of the patient. Maternity records have 25 year retention. The reason for retention is a mix of medical need and also in case there is legal action in the future.

Complex patients can have a paper hospital record that is 2' thick.

Full info here. https://www.bma.org.uk/advice/employment/ethics/confidentiality-and-health-records/retention-of-health-records

5
0
Silver badge

I nice temped in a records library, there was one was about 1 metre long in various files. Poor lady.

0
0
Bronze badge

In the NHS, records generally have to be retained for a minimum of 7 years from last treatment or from when the patient reaches 18. So when a baby is born, it's records are held for 25 years but the mother's (assuming she is over 18) only for 7.

However it is up to the clinical governance of each NHS body to set their local record retention policy as long as they adhere to the minimum requirements and can clinically justify the policy. For example there may be a clinical reason to retain cancer results (blood tests, xrays etc.) for significantly longer than 7 years in order to map changes, but not much reason to retain an xray of a broken leg for longer.

0
0

Optional

Its okay, they didn't loose them, they just securely stored them.

I wonder how much it costs to keep 500,000 docuemnts for 5 years?

10
1
Silver badge

Re: Optional

Missing the point a little, these would have included referral letters, diagnosis notifications, letters asking people to come in for appointments etc etc.

These haven't been acted on, heck I bet they can't even find out if some of these people are still alive and if there was a negative impact on health of those who are and those who not aren't.

Bottom line is that some of these could have been letters to patients or to a patient GP updating them on something VERY important such as urgent treatments for cancer, Hep C etc.

16
0
TRT
Silver badge

Re: Optional

I wonder if there was an option to send documents are records to archive? You know, run by the same company.

0
0
Silver badge

Re: Optional

The other side of the coin is that I recieved this very day THREE letters all identical telling me that an appintment I have at the Hospital in May is cancelled.

Piss up in brewery anyone?

4
0
Silver badge

Re: Optional

From my experience of having had something seriously wrong, the doctor tends to phone and say something like "you need to come and see me now, don't wait for an appointment" rather than wait for a letter.

0
0
Silver badge

Re: Optional

"Missing the point a little, these would have included referral letters, diagnosis notifications, letters asking people to come in for appointments etc etc."

Not forgetting the threats of fines for people who don't attend appointments and fail to notify. That could be a bit difficult if the hospital claims they sent you a letter and you claim you didn't receive it. They don't use recorded or registered delivery so it's their word against yours.

3
0
Silver badge

Re: Optional

I wonder how much it costs to keep 500,000 docuemnts for 5 years?

To *store* them, not as much as you would think (there are companies that specialise in that sort of thing and use either vaults or caves as ready-made storage space).

To index/retrieve/sift/review/discard? Lots. Think of a large sum of money, double, add another large number then add 10%.

If you want to do it properly anyway.

0
0
Silver badge

Re: Optional

the doctor tends to phone and say something like "you need to come and see me now, don't wait for an appointment"

Yup. Happened to me when my T2 diabeties was identified (had blood tests for another reason, blood sugar was at a level that would lead to blindness and/or several unpleasant things in short order if not fixed..).

To add a slight element of farce - I went in the next day to see them, saw a locum whose first question was "what did you want to see us about?". I explained, a senior partner was summoned..

1
0

Re: Optional

My favourite was when (during a long slow recovery from a severe illness a while ago) I went in to have my regular blood check in the morning, continued going about my day, and then at 7pm the phone rang: "This is the emergency room at the ERI. The lab's just phoned us about your blood results. Ermmm..are you alright?" Either I can cycle happily with a blood glucose of 2.0, or the lab made a mistake:)

1
0
Silver badge

"[This} raises new questions about why the NHS is still relying on physical data records,"

I think we all know the answer to that. How is the XP upgrade going?

9
0
Silver badge

"Not my fault, guv..."

Tony Pepper, co-founder and chief exec of data security company Egress, said the NHS's reliance on paper records is partly to blame for the systematic screw-up.

Yet knowing the NHS uses paper, you still went ahead and bid for the contract to deliver the letters. Hmm.

10
0
Silver badge

Re: "Not my fault, guv..."

Tony has some nice bridges for sale as well.

3
0
Silver badge

"because the mislaid or lost information was on paper"

See the definition of relevant filing system.

I suppose it hinges on whether the paper was stored in such a way that you could retrieve it easily given the data subject's name or address. If it was piled in an unsorted heap, then perhaps the ICO wouldn't have any responsibility.

1
0
TRT
Silver badge

Re: "because the mislaid or lost information was on paper"

failing system was that?

0
0
Bronze badge

Re: "because the mislaid or lost information was on paper"

In ye bad olde days, there was Cardex, which worked pretty good. What they do now, is anyone's guess - prolly a spreadsheet Excel and Access thing on WinME.

0
0
Anonymous Coward

That may be only the tip of the iceberg. In recent years two different emergency treatment hospitals have taken details of my GP - but nothing has ever been put on my GP's records about what they treated.

Recently I received a letter from the hospital after an annual check up - saying I now need a GP referral to another department. The letter says a copy of the report has been sent to my GP. It then goes on to say "take this letter with you when you see your GP". That implies they do not have full confidence in the communication chain.

13
0
Anonymous Coward

Anon for obvious reasons.

I know for a fact that some letters like this can go missing as there's no reconciliation between what's sent and what's received in some hospital to GP systems. It was previously manually checked, now it's just assumed that because they have a tick for it being sent that it was received.

I know for a fact this isn't always the case.

4
0
Silver badge

Misplaced you say?

Misplaced? As in "the company didn't want to actually pay for delivery and logistics costs" misplaced?

The problem arose because the firm tasked with arranging the delivery of internal NHS correspondence mistakenly stored it in a warehouse.

You don't "misplace" a warehouse.

Tony Pepper, co-founder and chief exec of data security company Egress, said the NHS's reliance on paper records is partly to blame for the systematic screw-up.

See?! It's all NHS's fault for relying on those pesky paper record things! How dare they, and anyone for that matter, want paper records!

Tony also has some nice bridges for sale. Anyone buying?

8
0
Anonymous Coward

My GP doesn't send physical referral letters to hospital any more.

They use a fax machine.

It would be more funny if it wasn't true.

7
0

Crime

Posties get prosecuted for stuff on a much smaller scale than this. I trust that the guardians of the law will be feeling collars at NHS Shared Business Services in the near future.

9
0
Silver badge

Re: Crime

"Posties get prosecuted for stuff on a much smaller scale than this."

Yes, Royal Mail has certain obligations, some of which mean a "social" charge on standard deliveries to cover for the non-standard ones, like to the Outer Hebrides. Private "mail" companies don't have those obligation in law and so cherry pick the cheapest delivers. And, it seems, sometime simply don't bother to deliver and so long as the contract says something like "best endeavours", don't even have to deliver to the destination.

More worryingly is that the NHS were not carrying out any sort of performance review over at least a 5 year period on this contractor.

3
0
Silver badge

Re: Crime

"Private "mail" companies don't have those obligation in law"

In this particular case, these letters never entered any mail system, and as such were never subject to any form of regulation.

0
0
Silver badge

mistakenly stored it in a warehouse.

Yes, mail delivery is a very tricky concept.

7
0
Silver badge

Re: mistakenly stored it in a warehouse.

I am still trying to imagine how a warehouse can be mistaken for half a million different addresses.

Didn't anyone wonder about the huge pile of unopened correspondence?

4
0
Silver badge

Clearly no-one is checking to see the services being paid for are actually being...

...provided. This stuff comes down from the top.

4
0
Silver badge
Pirate

Re: Clearly no-one is checking to see the services being paid for are actually being...

Almost as though the people who "choose" the service providers and monitor their delivery against targets are the same people with shares and cushy directorships with those same service providers...

5
0
Bronze badge

if not criminal then civil case for breach of contract. assuming, of course, that the contract specified delivery of mail to the addressee...

4
0
Silver badge

Now, for some reason, I'm thinking of fire extinguishers combusting when you try to use them.

0
0
Anonymous Coward

Mistaken Apprehension

There is no such thing as the NHS, its a mish mash of hospitals competing with each other to get money off the CCGs, that group the GPs surgeries and have all the money, and a bunch of nation wide entities that like to spend money and dont know or more likely dont care what each other are doing.

Also, if you come up with a good idea and can make a plan they give you money, with no thought for execution, actually delivery or past record of delivery.

This is a symptom of the underlying problems with the fragment impatient Business, that in no way resembles a National Health Service.

one of those contractors sitting on an IR35 fence hence AC

2
0
Anonymous Coward

Re: Mistaken Apprehension

There is no such thing as the NHS

To misquote the old phrase about the Holy Roman Empire, the NHS is neither National, Heatlhy nor a Service.

0
0
Bronze badge

Curious

How many people died as a result of various information from GPs not reaching Hospitals and Vice Versa, given the need for this current shambles to attempt to run the NHS into the ground to justify privatisation, it wouldn't shock me if this was deliberate.

2
0
Silver badge

Postmen

There have been past cases of postmen going to prison after it was discovered that they were storing mail in their homes rather than delivering it. ie https://www.theguardian.com/uk/2004/dec/18/post

Why do I get the impression nobody will get punished for this latest NHS fiasco?

0
0
Bronze badge
Unhappy

Who's paying for the repeated tests?

According to Radio5 yesterday, the 500k records affected ~250k patients. I've not been able to find whether the patients were in one geographical area or spread around the country, but assume the latter. Do we really believe that the powers-that-be have tracked down the doctors, consultants, surgeons, radiologists etc. etc. for 250k patients and found that not a single patient's treatment or clinical outcome was affected?

Whilst this may be true, I would also have to assume that because these blood tests, xray results, scan results etc. went missing, it has cost the NHS a significant amount of money to recall the patients and re-test. Who's paying for that?

2
0

OK, say you want to get rid of paper.

While there's a common language to send data between NHS entities, HL7, the systems these feed into are so very different. A lot don't accept external data via HL7, or rather, very few segments.

You may argue that these systems shouldn't be bought if they don't... you would end up with no electronic patient record if that were the case. Prove me wrong, name a single EPR provider that has full event driven HL7 export and import. Too hard? How about one that even openly advertises full HL7 export and import.

That's all at the back of queue behind a consultant having one less click to prescribe, despite that same consultant complaining that they can't see a patients updated demographics in a third party RIS.

1
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017