EHR vendor's 'coding error' leads to data breach of 150K UK patients: 4 things to know

NHS Digital, the information and technology arm of the U.K. National Health Service, said July 2 a "coding error" made by clinical systems supplier The Phoenix Partnership breached the medical information of an estimated 150,000 patients in the U.K., GovInfoSecurity reports.

Here are four things to know about the healthcare breach:

1. TPP provides the NHS with SystmOne, the EHR system used by general practitioners throughout England. Officials said an alleged coding error by TPP allowed NHS to share some patients' data for clinical research and planning purposes, even though the patients had registered to opt out of this type of data exchange during appointments at GP practices using SystmOne.

2. The error affected an estimated 150,000 patients who had been registered as a "type 2 opt-out" since March 31, 2015, due to a coding error that did not relay their preferences to NHS Digital.

"The privacy of patient data is a key priority for TPP, and we continually make improvements to our system to ensure that patients have optimum control over information," Dr. John Parry, clinical director at TPP, said in NHS Digital's July 2 statement. "In light of this, TPP apologizes unreservedly for its role in this issue."

3. To mitigate the effects of the error, the NHS plans to contact organizations it shared data with and ask them to "destroy" information received during the breach period, a NHS Digital spokesperson told GovInfoSecurity.

"We will be asking those organizations to destroy the data they hold which has not had the opt outs supplied as soon as practically possible, and we would look to resupply data where required," the spokesperson said. "In some exceptional circumstances however that may not be practicable … but this will be considered on a case by case basis."

4. Nic Fox, director of primary and social care technology at NHS Digital, said the implementation of a new National Data Opt-Out system will hinder this type of error from occurring in the future.

The system "puts the individual in direct control of their data sharing preferences. Data sharing preferences can now be registered via a simple to use website or by phone or paper form, with the information going directly to NHS Digital rather than being recorded by a GP on a third party system," he said in the July 2 statement.

More articles on cybersecurity:
3 major HIPAA fines so far in 2018
Report: New scam demands ransom payment — but does not deploy ransomware
MD Anderson slapped with $4.3M penalty for HIPAA violations

© Copyright ASC COMMUNICATIONS 2018. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Top 40 Articles from the Past 6 Months