Ben Pumphrey, a legal director in the governance, funding and corporate team at Anthony Collins, discusses the importance of protecting patient data in health and social care.
As data and cybersecurity threats increase, a growing number of high-profile breaches have rocked the health and social care sector, bringing significant real-world consequences for patients and providers. Are organisations doing enough to protect patient data and manage data security risks?
In 2022, a cyber-attack on an NHS software supplier led to sensitive personal data being breached after hackers accessed systems via a customer account that lacked multi-factor authentication (MFA). Advanced Computer Software Group, a provider of IT and software services to multiple organisations, including the NHS, was fined £3.07 million for security failings that put the personal information of 79,404 people at risk. This was a highly significant case, as it was the first time that the Information Commissioner’s Office (ICO) fined a company that processes data for others, rather than the data owner itself.
In 2024, Synnovis, a provider of pathology services to a number of healthcare organisations, including the NHS, was the victim of a ransomware attack. This case demonstrated the significant, real-world impact that breaches in this sector can have on patients, as services were significantly disrupted across the UK, causing delays to more than 11,000 outpatient and elective procedure appointments. This case is still under investigation by the ICO.
The stakes are incredibly high when it comes to data security in the health and social care sector. So, what can organisations do to protect patient data and manage risks, whilst adopting efficiency-driving technologies like AI?
Data security risks
With health and social care providers facing increasing cost pressures, Bring Your Own Device (BYOD) initiatives for employees are becoming increasingly common. However, organisations need to be aware of the data security risks associated with such schemes. Recent research found that half of care providers use BYOD approaches, but only half of them have a BYOD policy in place. It also exposed high-risk practices, such as staff using WhatsApp to share sensitive information and connecting to public Wi-Fi to access care systems. To prevent the personal health data of vulnerable people from being stolen or misused, providers need to ensure they have the right policies, training, and controls in place. Specifically, there should be a process in place for systematically analysing, identifying and minimising data protection risks – in other words, data protection impact assessments (DPIA) should be completed. This action is a key part of accountability obligations under the UK GDPR and is required in order to demonstrate compliance with data protection obligations.
Another key consideration for health and social care providers when protecting patient data is supply chain security, as hackers have realised that a single supplier’s system could give them access to data owned by multiple organisations. Due to this focus on third-party vendors, organisations in the sector need to conduct thorough due diligence and ensure they have a holistic oversight of all suppliers from a data and cybersecurity perspective.
The NHS is increasingly emphasising the importance of vendors having robust security practices, and NHS Trusts must check that IT suppliers handling NHS patient data have completed a data security and protection toolkit (DSPT). Social care organisations that have been awarded NHS contracts by an Integrated Care Board (ICB) must also complete a DSPT and demonstrate standards are being met. The DSPT is rooted in best practice principles, which are aligned to the NCSC’s Cyber Assessment Framework (CAF). These best practice principles have been widely adopted and shared across the NHS.
Another significant issue for health and social care organisations is the growing use of AI-enabled tools, which are being procured through suppliers. Few suppliers develop these software-based systems entirely in-house, and they often involve use of pre-existing third-party models or platforms. In cases where personal health data is being inputted into an AI model, health and social care organisations need to use DPIAs to ensure data security risks are identified and steps are taken to mitigate them. The quality and reliability of AI systems must also be carefully reviewed, and assessments should go beyond standard supplier cybersecurity checks and scrutinise how the AI functions in practice.
Crucially, where an AI model is being used to inform care outcomes, organisations must be able to verify that meaningful human oversight is embedded in the process to challenge or override the system’s recommendations. The critical question for clinicians is whether they are merely rubber-stamping the AI’s output or actively applying professional judgment to determine the right care outcome for each patient. In a social care setting, where there is less medical intervention required, there is a higher risk of people defaulting to the AI-proposed output, but it is vital that in all care contexts, AI serves as a supportive tool that is informative but never determinative.
Automated decision-making
The ICO advises organisations to clearly specify the role of the AI model – for example, is it intended to support human decision-making or to make fully automated decisions? Senior management must understand the key risk implications of each approach and ensure that clear accountability and risk management policies are in place. For AI that supports human decisions, policies may need to address additional risks such as automation bias and explicitly ensure that a human remains actively in the loop. Where AI is used for automated decision-making (ADM), organisations must carefully assess the associated risks. While ADM can drive efficiency and streamline processes, it lacks emotional intelligence, clinical judgment, and the ability to consider context or nuance. Consequently, ADM should be avoided for high-risk or high-impact applications in health and social care settings.
The importance of assessing risks and completing DPIAs should not be underestimated. In 2024, the ICO found that Snapchat’s My AI chatbot had not met the requirements of Article 35 of the UK GDPR, which specifies that a DPIA must be carried out, nor Article 36, which specifies that a supervisory authority must be consulted for high-risk applications. Following constructive dialogue and written submissions to the ICO, Snapchat produced a fifth DPIA, which, unlike the earlier ones, met the requirements and contained a significantly more detailed breakdown of the processing operations. This case provides a useful benchmark for organisations to follow when considering the need for a DPIA and completing one.
The health and social care sector faces increasing cyber and data protection challenges alongside serious funding constraints, but providers can’t afford to be complacent. Completing DPIAs, adhering to DSPT standards, and ensuring human oversight of AI in all situations are essential practices to safeguard sensitive patient data and maintain compliance with UK GDPR. With the cyber threat increasing rapidly, these measures are critical to the delivery of safe, resilient care services.
