Inside e-health on data breaches at home and abroad

Tales of data breaches continue to tumble out of the public sector. Yet England is not the only country to suffer them. Data breaches happen throughout Europe and in the US as well; and individuals are starting to look to their courts for redress. Jon Hoeksma considers the implications.

When HM Revenue and Customs had to admit that it had lost the details of 25 million child benefit claimants last year, it sent shock-waves around the public sector.  

The government ordered departments to review how they were handling sensitive personal information. The Department of Health told NHS trusts to look at their own policies and to suspend the transfer of data unless they could be sure it was encrypted. 

Yet, nine months on, the public sector is still plagued by data breaches large and small. The Home Office has just had to admit that a contractor, PA Consulting, has lost a USB stick containing information about every prisoner in the country. An NHS trust has just sacked an un-named senior manager for leaving a laptop holding information about 20,000 patients in his car while he went on holiday.

Enter the European Court of Human Rights

Data breaches are not a peculiarly English phenomenon. Most western countries are seeing new IT systems deployed in schools, hospitals and other institutions and most have seen data breaches follow in their wake.

Individuals and judicial systems are starting to respond. The European Court of Human Rights recently ordered the Finnish government to pay out €34,000 when it failed to protect a citizen's personal data, by not adequately securing and protecting her confidential medical record.

€14,000 of that went to the woman who brought the case: an HIV-positive nurse who worked in a public hospital between 1989 and 1994 on a series of contracts that were not renewed. She suspected this was because her medical notes had been accessed inappropriately and asked the hospital for details of who had seen them and when.

The hospital was unable to supply the data because it kept only a limited audit trail; but the court ruled the nurse did not have to prove there had been a “wilful” release. It decided that the hospital’s failure to establish a system to ensure that her records could not be accessed was enough for her to win her case.

More significantly, the court made a link between the breach and the European Convention on Human Rights, ruling that failure to ensure the confidentiality of medical records was a breach of article 8, which guarantees every European citizen “the right to respect for his private and family life, his home and his correspondence.”

Meanwhile, in America

A number of US hospitals have been sued and left with hefty bills after experiencing data breaches, either because of external attack or internal failures. Members of one US healthcare purchasing alliance in San Diego are now being offered insurance to cover the financial costs of breaches.

A recent study by Kroll Fraud Solutions, published by the Healthcare Information and Management Systems Society, suggests these may run to $200 per record and $6.3 million per incident, once the costs of litigation, crisis management, fixes and other corrective action are taken into account. This doesn’t even begin to count the cost to reputation in what can be a fiercely competitive healthcare system.

Back on home soil

There is something pleasingly European and American about these responses. In Finland, aggrieved patients reach for the Human Rights Act; in the US, they sue. It will be interesting to see whether the threat of being hauled to Strasbourg or the threat of a major financial loss will have the more salutary impact on policy and practice in the long-run.

It will also be interesting to see which approach comes to be applied in this country. Patients are far less willing to sue the NHS than popular claims of a “compensation culture” suggest – and they often lack the funds to mount a case.  They may also face legal barriers in claiming the data held in public systems as private property.

Public bodies, on the other hand, are subject to the European Convention on Human Rights, as enshrined in the Human Rights Act. Yet the Act has suffered some bad publicity recently and cases can take years to reach a conclusion.

Meanwhile, the recent USB stick incident is instructive. The fact that anyone working with confidential public data could think it was acceptable to transfer so much onto one shows just how much work is still needed on information governance.

Yet although it led the national news for a day, there was far less coverage of the loss than there was of the HMRC catastrophe. One reason may be that the national press finds it easier to worry about the data of hard-working parents than of convicted criminals.

A more worrying reason may be that it is starting to assume that public bodies are incompetent and will inevitably mishandle and lose personal data.

This may make it more difficult for organisations like the NHS to convince people to allow their data to be included in new databases in the first place; one reason, perhaps, that the “don’t create” element of the consent model for the NHS summary care record is under review yet again.