NHS trusts lose 10,000 patient records every year

Think tank report calls for an end to handwritten patient notes amid evidence that paper records are being routinely misplaced

More than 10,000 patient records go missing every year

The NHS has misplaced almost 10,000 patient records in the last year, according to new research from the think tank, Parliament Street.

The report, entitled NHS Data Security: Protecting Patient Records examines the number of patient records that have been misplaced by NHS trusts over the past 12 months.

And the report discovered that, overall, 9,132 patient records from 68 hospitals had been reported missing or lost.

With sales of health records on the dark web and identity fraud on the rise, the need to protect the privacy of patients while moving towards secure digital systems is both urgent and essential

Topping the list, at 3,179 records missing or stolen, was the University Hospitals Birmingham NHS Foundation Trust; followed closely by Bolton NHS Foundation Trust at 2,163 records misplaced.

The third largest was University Hospitals Bristol NHS Foundation Trust with 1,105 records lost.

Wrightington, Wigan and Leigh NHS Foundation Trust reported 426 lost or stolen documents, despite using an electronic database system; and the Royal Devon and Exeter NHS Foundation Trust reported 425 documents lost or stolen and stated they only used paper case notes.

The report also found that 94% of trusts still use handwritten notes for patient record keeping, despite often having electronic record system software in place.

The information was gathered though the Freedom of Information Act (FOI) to request data into lost or stolen patient records and the use of handwritten notes.

Key recommendations from the report state that NHS trusts should work to abolish handwritten notes in hospitals to prevent loss of personal documents and to introduce a patient identity protocol in order for patients to have up-to-date information on their medical records.

Commenting on the findings, Barry Scott, chief technology officer at access management solutions provider, Centrify, said: “These incidents underline the need to improve security procedures around the management of health records within the NHS.

“With sales of health records on the dark web and identity fraud on the rise, the need to protect the privacy of patients while moving towards secure digital systems is both urgent and essential.

Without proper funding, processes and technology in place, it would be impossible for any organisation, let alone the NHS, to be in the position to secure their systems and the valuable information within

“Achieving this means ensuring only accredited doctors, nurses and staff can access private information, and providing encryption and identity access management solutions to keep cyber criminals locked out.”

But Andy Richmond, UK vice president at Varonis, told BBH: “The recommendations to put an end to handwritten patient records and introduce an online patient data portal are good and necessary moves from a modernisation standpoint, but they will not help in preparing for future cyber attacks. In fact, these new systems could introduce new vulnerabilities if not properly secured.

“The issue of lost and misplaced data is not unique to the NHS, or even to the healthcare sector. Data growth has skyrocketed and organisations have been caught off guard. Many times they do not know what their data servers hold, be that sensitive information on patients and courses of treatment, or personal identifying information such as an address and mobile number.

“Without proper funding, processes and technology in place, it would be impossible for any organisation, let alone the NHS, to be in the position to secure their systems and the valuable information within.

“Organisations are often overexposed and under-protected. The biggest issue in many cases is global file access, meaning that files are open to every employee within an organisation.

“In a recent report, we found that 41% of companies had at least 1,000 sensitive files open to all employees. These files are likely to be encrypted in a ransomware attack.”

Companies