Patient information easily obtained by phone
- 20 June 2008
A team of doctors has warned that confidential patient information can be easily obtained from GP practices over the telephone after getting patient data from 45 practices without any verification in more than a third of cases.
Dr Ed Fitzgerald and colleagues from Nottingham University Hospitals NHS Trust contacted 45 different GP practices to obtain details about 51 patients involved in an audit to complete gaps in addresses, contact numbers and current treatments.
In 50 of those cases the team successfully obtained the patient’s address and/or telephone number and in more than a third of the telephone conversations no information or verification was requested to obtain the information.
Dr Fitzgerald told EHI Primary Care: “It wasn’t our objective to test how much information we could get from practices but we were surprised when we did it by how easily we got the information.”
Dr Fitzgerald said it was standard practice for hospitals to ring surgeries to check missing information about patients but it was unusual to ring so many practices in such a concentrated period.
He added: “It would make day to day life extremely difficult if we couldn’t do this but it does also show that anyone with a story could get a lot of information.”
The doctors reported their findings in the BMJ Rapid Response section following research published by the Summary Care Record evaluation team which highlighted concerns among patients and clinicians about computer security and inappropriate access to the SCR and HealthSpace.
The Nottingham doctors said the concerns about electronically stored information should be viewed in the context of current arrangements.
They added: “Human links in the patient record chain are far more vulnerable to error, and we have been alarmed at the ease with which we have obtained confidential patient details by telephone.”
Dr Fitzgerald said that although more than a third of practices made no checks at all in other cases the team was asked for some sort of verification with practices either asking for a telephone number to call back or asking to speak to someone else within the organisation to confirm the caller’s identity. In one case the receptionist refused to provide the information because no adequate verification was provided over the telephone.
The doctors add: “We greatly appreciate the ease with which GP receptionists assisted us, however it would seem that such help is potentially open to abuse by anyone with a convincing medical story ‘calling from the hospital’. Such a story easily overcomes natural safeguards; hacking into a HealthSpace account would be considerably more difficult.”
Dr Fitzgerald said he and his colleagues were currently uninformed about the Summary Care Record and NHS Care Records Service.
He added: “Amongst my colleagues there are very few people who have a view because we don’t know enough about it and how we’d use it.”
Related document
BMJ Rapid Response on patients’ attitudes to the SCR and HealthSpace