The medical records of 26 million patients are embroiled in a major security breach amid warnings that the IT system used by thousands of GPs is not secure.
The Information Commissioner is investigating concerns that records held by 2,700 practices - one in three of those in England - can be accessed by hundreds of thousands of strangers.
Privacy campaigners last night said the breach was “truly devastating” with millions of patients having no idea if their records had been compromised.
GP leaders said the breach had “potentially huge implications” and could see family doctors flooded with complaints.
The investigation centres on one of the most popular computer systems used by GPs.
Unbeknown to doctors, switching on “enhanced data sharing” - so records could be seen by the local hospital - meant they can also be accessed by hundreds of thousands of workers across the country.
It means receptionists, clerical staff, healthcare assistants and medics working in pharmacies, hospitals, GP surgeries, care homes and prisons can look up sensitive information about individuals - even if there is no medical reason to do so.
Patients would not have been told their records were available in this way, and information could be accessed for malicious reasons, or fall in to criminal hands, privacy experts warned.
Phil Booth, from privacy campaign group medConfidential said: “This is a truly devastating breach which involves millions of patients’ GP records – for some, the most deeply personal, sensitive and confidential data about them – being exposed to hundreds of thousands of people, with no mechanism to prevent them if any of them chooses to look.”
The campaign group has published information online so patients can find out if they were affected, and take steps to protect their data.
The head of the British Medical Association’s IT committee has written to all GPs who use SystmOne, owned by TPP, urging them to take “urgent action”.
Dr Paul Cundy warned doctors that they have breached data protection laws, and could be open to patient complaints.
“This is a serious issue with potentially huge implications for patients, GPs and TPP,” he said.
“At the moment GPs are at risk of complaints being made against them.”
Doctors have been urged to consider switching off the function, although this would make it difficult to work with local hospitals, or to tell their patients that security has been compromised.
“It is unlikely that patients would expect to learn that their records were accessible by the wide range of institutions and organisations that currently have [SystmOne] installed, such as many prisons. I understand there are currently approximately 2,000 separate organisations connected across their client base,” he said.
A spokesman for the Information Commissioner told Pulse magazine: “We do have data protection compliance concerns about SystmOne’s enhanced data sharing function. These concerns are centred around fair and lawful processing and ensuring appropriate security in respect of the data held on the system.
“We have made these concerns clear to TPP and NHS Digital and we are in discussions with them about how these are resolved.”
Under data protection laws, patients are supposed to be informed of any privacy risks to their data and told if others are being given access to it.
A TPP spokesman said practices using SystmOne must either “fully inform patients about who might be able to see their records, what parts of the their records and in what circumstances” or “turn off record sharing”.
No SystmOne user should be using patient record sharing function “without fully understanding the consequences and without fully informing patients of the impact on their care,” he said.
TPP has previously said it is “making amendments” to the function.
The spokesman said the company remains in talks with the Information Commissioner, NHS Digital and NHS England about the issues.