NHS patient information in data breach by Diagnostic Health
As many as 10,000 NHS patients may have been affected by a series of data protection breaches by a private firm.
A leaked report from the Information Commissioner's Office (ICO) revealed patient data was stored unencrypted by Birmingham company Diagnostic Health.
The company, which carries out ultrasound scans for the NHS, said it had voluntarily suspended services.
Diagnostic Health added it had now completed an action plan that had been agreed with the ICO.
Jonathan Leonard, chief executive of Diagnostic Health Systems Ltd, based on Birmingham Research Park, said the company was planning to resume services for Clinical Commissioning Groups (CCGs).
The data protection breaches date back to June 2013.
The Care Quality Commission watchdog was alerted to the breaches last year by a whistle-blower and passed them on to the Stafford and Surrounds CCG, which commissioned services from the firm.
The CCG's Chief Executive Andy Donald said: "We conducted our own investigation. There were concerns of a serious nature so we informed the information commissioner."
Diagnostic Health first won a contract from the now defunct South Staffordshire Primary Care Trust.
It was soon providing scans from GP surgeries to clients in Staffordshire, The Wirral, Kent and Medway, Berkshire and West Yorkshire. In March 2014 it was approved to supply services to Wandsworth.
While the ICO refused to show the BBC its report, a leaked copy showed Diagnostic Health was aware it was breaching data protection guidelines by 26 June 2013, but continued adding to the database until 22 July.
The ICO audit, prepared in the summer, revealed a company laptop stolen from a member of staff's home had not been originally reported to the information commissioner.
It also showed staff at the company shared the same password to access files on a web-based storage account.
GP referrals, meanwhile, were being emailed directly to staff inboxes, while there was no audit trail of who accessed the system and when.
At the time of the ICO report, Diagnostic Health was also unable to delete personal data from an ex consultant's laptop and had no control as to how it was being used.
The data controller at University Hospital Birmingham, Daniel Ray, said he was shocked by the findings and that there was a secure electronic system, called N3, that should be used to send all patient data.
"I think that it is extremely sad and I would be shocked that patient records were on the Google drive. That is not how NHS patient records should be handled," he said.
As recently as December, the CQC reported that Diagnostic Health's record systems were still not compliant.
Two out of 10 staff records did not contain a CRB check. There was also no record of some staff being registered with their professional body.
The BBC made its first request to see the Information Commissioner's report into Diagnostic Health using the Freedom of Information Act in November.
The Information Commissioner refused to provide it on the basis that there was an on-going investigation and that it would prejudice its "regulatory functions".
In March, it refused again, saying its investigation had been completed and there was to be no further action.
While NHS organisations have to allow an investigation, the ICO said audits of private firms were on a "consensual" basis and the publication of any report or summary required the firm's consent.
Jonathan Leonard, from Diagnostic Health, said it had conducted a full review with commissioners.
"We have worked transparently with our NHS commissioning client throughout the process and can confirm that they are satisfied with all steps taken moving forwards," he said.
"As a result, our lead commissioner, has confirmed that they are once again happy for us to resume providing services for their patients and others are in the process of agreeing the same."
Stafford and Surrounds CCG confirmed that it believed Diagnostic Health was now compliant, but the company had not yet begun providing scans in Staffordshire.