Here’s a fun game for these rainy afternoons. Go to google and search for ‘NHS patient records lost.’

The results are impressive – the list of scandals gives the impression of data loss of an almost serial nature. A couple of thousand patient records lost on a stolen laptop here, another 2,500 left on a laptop next to a skip there. One of the more embarrassing stories is from NHS Central Lancashire where the medical details of 6,360 prisoners were left on a memory stick. The information was encrypted but the password was stuck to it on a post-it. In another, an unencrypted memory stick was left in the back of a car and only rediscovered when it was handed back by a carwash attendant.

The lessons are pretty clear. Memory sticks are a very common theme, so let’s stop carrying patient information around on them. Stolen laptops are another. So let’s leave patient information on their official record, and only access it through the proper channels. The point is that the electronic systems aren’t usually to blame. It’s the people using (or misusing) them which cause the problems.

Of course, googling is hardly a rigorous research method, and gives an exaggerated impression of the problem. ‘NHS staff don’t lose any patient records’ is never on the front page because it’s not a story anyone’s interested in reading. As more patient records are computerised and as databases get larger and more centralised, the potential for security risks also increases. That’s why there have been no less than 14 NHS organisations given formal warnings in the six months between October 2008 and April 2009.

Patient confidentiality has always been part of medical training, but never before have NHS staff had access to so much data. It’s never been this easy for things to go this wrong. And they’re set to become even more powerful as the programme continues. Confidence in the staff that know so much about us is essential if we are going to reep the benefits of electronic patient records. As well as increasing training, now may be a good time to take a closer look at how we hold staff accountable.

The Information Commissioner’s Office (ICO) handles all breaches of the Data Protection Act. When something goes wrong an NHS body is ‘rapped’ – made to sign an undertaking to improve security which could lead to legal action if broken. Given that the Data Protection Act is legally binding anyway, this is little more than a formalised telling-off. And there has been no sign of such legal action. The ICO is supposed to be getting new powers sometime soon, which will allow them to fine organisations for ‘deliberative or reckless’ breaches of data protection. But so far there seems to be rather few repercussions to losing thousands of patients’ sensitive health information – apart from some bad publicity and sore knuckles.