Almost 10,000 patient records at UK public hospitals were mislaid, lost or stolen in a year prompting data security concerns, with 94 per cent of NHS trusts also found to be using paper records in new research.

The Parliament Street think tank sourced the stats from 68 NHS hospital trusts through Freedom of Information requests, and claimed the records couldn’t be found when they were needed for patient consultations, with some later recovered.

“Our research team discovered that in the last financial year, the University Hospital Birmingham reported the largest amount of records 'unavailable' for out-patient clinic appointments at a staggering 3179 documents, despite using electronic clinical systems such as iCARE and Concerto,” the NHS Data Security – Protecting Patient Records report said.

“The second largest figure was Bolton NHS Trust who were unable to provide 2163 records in time of the patient appointment and use LE 2.2 Patient Management System to record their data.”

In total, 9132 records were recorded as lost or stolen, but the report, which links to the website of cybersecurity firm Centrify, claims only 68 trusts responded to the FOI requests and the total figure across the public health system could be larger.

In third place, according to the researchers, University Hospital Bristol recorded 1105 incidents of unavailable records, with 1075 subsequently found. 

The Royal Devon and Exeter NHS Foundation Trust, which does not use an electronic health record, reported 425 cases of lost or stolen data.

The researchers claim a patient list was stolen from West Suffolk NHS Foundation Trust despite the healthcare provider using Cerner’s Millennium EHR.

According to the report, 94 per cent of the NHS trusts used handwritten notes for patient records in addition to electronic systems.

[Read more: NSW Health Minister apologises as hundreds of abandoned medical files are discovered in derelict former aged care facility | The ubiquitous fax: Queensland’s Ipswich Hospital directs GPs to use the antiquated tech for all urgent referrals]

The report recommended the abolition of paper records that “inevitably” lead to errors and potential security issues, particularly in busy hospital environments.

“It is clear that paper-based systems are no longer fit for purpose and NHS Trusts should work towards implementing digital systems with records capture via tablet computers and mobile devices.”

With health information valuable to hackers, improved protection for patient data is “urgent”, Centrify’s Barry Scott told The Times.

“These incidents underline the need to improve security procedures around the management of health records within the NHS,” Scott said.

“With sales of health records on the dark web and identity fraud on the rise, the need to protect the privacy of patients whilst moving towards secure digital systems is both urgent and essential. The health service remains a top target for hackers and whether their motive is to wreak havoc or steal identities, it’s critical that every single patient record is treated as a high priority by health trusts.”

The authors also recommended the introduction of a patient identity protocol and online access to health records for citizens.

Last year The Guardian revealed over 700,000 pieces of undelivered mail including cancer test results, medication changes, treatment plans and child protection notes had been lost by an NHS contractor between 2011 and 2016, leading UK MPs to claim the NHS had “badly failed patients”.

Meanwhile, earlier this month the NSW Health Minister Brad Hazzard apologised to patients of a former aged facility south of Sydney after paper medical records containing intimate details were left in a now-derelict building, in what was one of the largest privacy breaches of its kind in Australia. Uncovered by a ABC investigation, the records were discovered strewn throughout rooms in the decommissioned Garrawarra Centre for Aged Care in Helensburgh.

To share tips, news or announcements, contact the HITNA editor on




White papers