The anonymity of NHS medical records has been called into question after a "stalker" hospital doctor obtained and communicated very sensitive information about a lady who had begun dating her ex-boyfriend regardless the fact that he wasn't involved in her care.
The victim was left in "fear, shock, and horror" after learning that the doctor had exploited her hospital's medical records system to look at the woman's GP records and read - and share - private data about her and her children accessible only to a few others.
“I felt violated when I learned that this woman, who I didn’t know, had managed to access on a number of occasions details of my life that I had shared with my GP and only my family and very closest friends. It was about something sensitive involving myself and my children, about a family tragedy,” the woman said.
The case has spurred worries that any doctor in England could misuse their privileged access to confidential medical records for purposes other than clinical.
Sam Smith, of the health data privacy group MedConfidential, said: “This is an utterly appalling case. It’s an individual problem that the doctor did this. But it’s a systemic problem that they could do it, and that flaws in the way the NHS’s data management systems work meant that any doctor can do something like this to any patient. If you’re registered with the NHS in England, this could happen to you.”
The victim and the doctor, consultant at Addenbrooke's Hospital in Cambridge, have not been named by the Guardian. The woman was originally perplexed as to how the doctor had obtained very intimate information about her, her sister, and her children, which the doctor then passed to her ex-boyfriend in the early stages of his new connection with the woman last July.
“The doctor said that she had got it from friends, or from people in her choir or parents at my children’s school. That left my sister and I wondering if some of our close friends had betrayed us as we knew that only a few people knew those details. She had an unhealthy interest in us.”
The mystery was answered when Addenbrooke's provided the woman with a full audit of all its staff members who had exposure to her medical information at her request. It was discovered that the doctor viewed her medical information seven times between August and September of last year. The clinician first accessed Epic, Addenbrooke's own hospital medical records system, three times.
She then navigated to a different records system known as GP Connect, which contained comprehensive notes of conversations her former partner's new girlfriend had with her GP regarding the tragic impact of the accident and the well-being of one of her children.
On one occasion, the doctor, whom the woman had never seen, called the victim, asked her name, provided it, and then hung up. The victim felt it was a planned effort by the doctor to demonstrate that she had obtained personal information about her
Addenbrooke's first disputed that its employees could access GP Connect via Epic. However, after a meeting with the victim, its deputy medical director, Dr. John Firth, acknowledged that her full GP records were available. Michelle Ellerbeck, the company's head of information governance, later emailed the woman to thank her for demonstrating that it was possible in case "this inquiry ever comes up again."
Dr. Nicola Byrne, the NHS national data protector for England, offers advice on how to keep patients' information safe and how to utilize it correctly. She stated that she was "concerned about the seriousness of the allegations" when the patient wrote to her about the inappropriate intrusion into her medical history.
Byrne identified the doctor's actions as "absolutely unacceptable" and attempted to comfort patients who may be concerned about the incident by emphasizing that it was the first time she had heard of a medic violating rules governing the secure handling of a patient's medical records in order to gather information about them. She did, however, left open the possibility that others were doing the same.