NHS Developer Error Leads to Data Leak

Written by

A data leak at the NHS affecting 150,000 patients has been blamed on a software developer error.

The issue revolves around so-called Type-2 opt-outs, which patients can request when they don’t want their personal information to be used for anything other than their own care.

Some 150,000 of these objections recorded in GP practices between March 2015 and June 2018 were not sent to NHS Digital by outsourcing software developer TPP’s systems.

The error is only a minor one as the data was ultimately used in clinical audit and research, which is designed in any case to help improve patient care across the NHS, according to a statement by the parliamentary under-secretary of state for health, Jackie Doyle-Price.

“NHS Digital will write to all TPP GP practices today to make sure that they are aware of the issue and can provide reassurance to any affected patients. NHS Digital will also write to every affected patient. Patients need to take no action and their objections are now being upheld,” she explained.

“There is not, and has never been, any risk to patient care as a result of this error. NHS Digital has made the Information Commissioner’s Office and the National Data Guardian for Health and Care aware.”

Type-2 objections have now been replaced by a national data opt-out designed to simplify the registering of an objection to wider data sharing.

However, the incident is the latest in a long-line of data leaks and breaches stemming from third-party mistakes.

Incidents at PageUp, Typeform, and Inbenta Technologies have all had a major impact on client organization’s and their customers in the past couple of months.

Mike Smart, EMEA security strategist at Forcepoint, argued that developers must integrate multiple layers of protection into their products, especially with the requirements of the GDPR front-of-mind.

“It’s a clear indicator that relying too heavily on software will cause these mistakes to happen in the future,” he added. “We can’t afford to leave out the human element when deciding how we protect sensitive data, and must involve creative and lateral thinking in the testing and final checking stage before software goes live.”

What’s hot on Infosecurity Magazine?