NHS staff posted patient information on Facebook

NHS staff have been breaching the Data Protection Act (DPA) by posting confidential patient details and photographs on Facebook, a report has found.

This was one of the ways that patient medical records were compromised by staff at NHS trusts across the country between July 2008 and July 2011. There were at least 806 separate data breaches at 152 NHS trusts during the period.

The report from civil liberties campaigners Big Brother Watch, based on information gathered from Freedom of Information (FOI) Act requests, showed that there were 23 incidents of patient information being posted on social networking sites such as Facebook.

In one case, a medical employee at the Nottingham University Hospital NHS Trust posted a picture of a patient on Facebook, which led to their dismissal. This employee was one of 102 who were sacked after a data breach incident.

However, in many cases, staff were only disciplined internally. This was the only consequence for civilian employees at Pennine Acute Hospital NHS Trust who sent information via Facebook to a parent of a patient and posted sensitive information on the social network site, and for a medical employee at the Cheshire and Wirral Partnership NHS Foundation (Mental Health) who breached confidentiality using Facebook, for example.

Although 74 NHS trusts failed to respond to the FOI request, the data provided by the other trusts show that there were 129 incidents of NHS staff looking up the personal details of their colleagues or family members.