Patient records held in as many as one-in-three GP surgeries in the UK are at risk of compromise due to data sharing option in the patient records management software they use.
The medical records of 26 million patients could, in theory, be at risk as a consequence, when doctors' surgeries enable an "enhanced data sharing" feature in the SystmOne clinical management software, widely used in surgeries across the UK.
By enabling the enhanced data sharing feature, the surgeries enable workers in the National Health Service across the country, which employs more than one million people, to access patient records belonging to people across the country.
This might include receptionists, clerical staff, pharmacists, other GP surgeries, care homes and even prisons to be able to access medical information about people with minimal safeguards against misuse.
However, the company behind the software, TPP, claims that surgeries are fully informed about the consequences of enabling data sharing, and that the software includes check boxes to ensure that patient consent is obtained.
Privacy campaigners, however, have criticised the software.
"This is a truly devastating breach, which involves millions of patients' GP records - for some, the most deeply personal, sensitive and confidential data about them - being exposed to hundreds of thousands of people, with no mechanism to prevent them if any of them chooses to look," privacy campaigner Phil Booth, behind the medConfidential campaign group, told the Telegraph.
As a result, suggested Dr Paul Cundy, the head of the British Medical Association's IT committee, GP surgeries up and down the country were in breach of data protection laws - laws that could expose them to big fines from May next year when the EU's General Data Protection Regulation (GDPR) fully comes into force.
General practitioners have therefore been urged to turn off the function as a matter of urgency.
The Information Commissioner's Office (ICO) has been informed and is investigating.
A spokesman for TPP, the company behind the SystmOne software admitted to the Telegraph that doctors have a duty to "fully inform patients about who might be able to see their records, what parts of the their records and in what circumstances" or "turn off record sharing".
The news comes in the same week that a deal between Royal Free London NHS Foundation Trust and Google-owned artificial intelligence specialists DeepMind, which gave the company access to the private medical records of hundreds of thousands of patients, was slammed by an independent report.
Dr Kuan Hon criticises GDPR consent emails that will only eviscerate marketing databases and 'media misinformation'
Apple squashes Steam Link app on 'business conflicts' grounds
Philip Hammond wants to forget rules that the UK agreed with the EU to ban non-European companies from the satellites
Instapaper to 'go dark' in Europe until it can work out GDPR compliance