Confidential information on 150,000 NHS patients has been distributed against their wishes for years due to a "coding error" by healthcare software supplier TPP.
NHS Digital, the body that oversees the healthcare service's use of data, fessed up to the bungle – which saw data on the affected patients used in ways they had specifically requested it wasn't – this week.
It affects patients who registered what is known as a type 2 opt-out – which says clinical information can't be used for anything other than their own care – between March 2015 and June 2018 at a GP surgery that used TPP's SystmOne software.
According to NHS Digital, a coding error in the SystmOne application meant that the opt-out information was not sent to NHS Digital, and so the body used the information for other purposes, such as research or clinical audits.
The body said that TPP spotted the error on 26 June, and that it stopped data-sharing on patients who had made type 2 opt-outs the day after. It is now contacting the affected patients, which amounts to about 10 per cent of the total number of opt-outs, along with GP practices.
It added that TPP and NHS Digital would "ensure that testing and assurance of patient data extracts is enhanced" in future to prevent similar errors.
In a statement to Parliament, health minister Jackie Doyle-Price appeared to try to sugarcoat the pill, saying that the data had been used "in clinical audit and research that helps drive improvements in outcomes for patients".
Both NHS Digital and TPP issued the usual missives setting out their "unreserved apologies", with TPP clinical director John Parry saying in a canned statement that "privacy of patient data is a key priority for TPP, and we continually make improvements to our system to ensure that patients have optimum control over information".
Half a million 'de-identified' patients records to be shared in BradfordREAD MORE
However, the error will be seen as another black mark against the NHS and its ability to handle confidential patient information at a time when it is trying to regain public trust following previous botched data-sharing schemes.
Phil Booth, co-ordinator at MedConfidential, said that the incident demonstrated why patients should be able to see what is done with their data.
"NHS Digital failed to see this in over three years, and the IT company that made the error failed to see it too. But any patient, especially someone concerned enough to opt out, would have spotted this in an instant."
The Information Commissioner's Office confirmed that it was aware of the issue and was making enquiries. The watchdog already carried out an in-depth review of NHS Digital's handling of type 2 opt-outs in 2016.
The 2016 probe was provoked by the revelation that NHS Digital had failed to honour the requests of about 700,000 patients who had attempted to register a type 2 opt-out before 29 April 2016. At that time, the body avoided a penalty after promising it had set up a new system to process and uphold the objections would ensure it toed the line.
And it isn't the first time that TPP's SystmOne has come under fire. In March 2017 it was revealed that it was not possible for GPs to find out exactly who had accessed patient information through a newly introduced record-sharing feature.
The aim of that feature was to allow organisations such as hospitals and care homes to access GPs' notes to help patient care, but it was found that the audit function could only point at organisations, not individuals.
NHS Digital said that the errors revealed this week "would not be able to occur using the new National Data Opt-Out" – a system that was introduced on 25 May that should allow patients to register their data-sharing preferences via a form available online, by phone or on paper.
This was echoed by Doyle-Price, who claimed that the system "has simplified the process of registering an objection to data-sharing for uses beyond an individual's care".
However, Booth countered that the online process "makes expressing a choice significantly harder for families with children and other dependants", as it can require them to send in various forms of identity documentation, rather than making a direct request of their own GP. ®