Medical regulator drops probe into NHS whistleblower Peter Duffy amid dispute over email evidence

The UK’s chief regulator for doctors has dropped an investigation into an NHS whistleblower who exposed hundreds of cases of harm at a hospital trust in north-west England, following a dispute over the authenticity of emails put forward as evidence by the trust.

Consultant urologist Peter Duffy, 61, has faced disciplinary proceedings at the General Medical Council (GMC), which could have led to him being barred from practice, for over two years. 

The case centred on the contents of two disputed emails that Morecambe Bay Trust (UHMBT) produced as evidence a number of years after Duffy blew the whistle on patient safety at the trust.

The GMC has now found there is no case to answer.

In a 30-page decision letter, the GMC highlighted the “particular regard” it gave to its “inability to place weight” on an IT report that had found there was no evidence of tampering or foul play over the disputed emails.

The GMC said it was unable to assess the report since a company commissioned by the NHS to oversee the exercise, Niche Consult, did not disclose it to the GMC during the 30-month probe.

Niche Consult subcontracted two “independent cyber security firms” to carry out the review “on a blind basis from each other”, according to NHS England.

The review assessed Duffy’s claims that emails apparently sent by him in 2014 – but that were not discovered until 2020 – had been falsified.

The GMC also found that a key interview transcript provided to investigators by the firm was unsigned and that “the deletion of Mr Duffy’s inbox” meant it was not possible to interrogate his email history.

Leading IT experts have told Computer Weekly that the withholding of a secret cyber security report into Duffy’s email allegations from the GMC’s probe and the format of the emails supplied to the regulator, in PDF form, meant there was a “particularly weak” basis to use them as evidence against Duffy.

A picture of Peter Duffy, a consultant urologist who lifted the lid on more than 500 cases of clinical harm at Morecambe Bay NHS Trust

“I think it’s important to highlight, before anything else, just how close we came to a significant miscarriage of justice here”

Peter Duffy, a consultant urologist who lifted the lid on more than 500 cases of clinical harm at Morecambe Bay NHS Trust

The case prompted one of the trust’s governors to resign last week over what she described as a lack of transparency on the part of the trust and attempts to “suppress” governors asking questions about the case.

Duffy told Computer Weekly that the disputed emails, which emerged nearly five years after he lost his job for speaking out on department-wide patient safety harm, could have seen him struck off and potentially facing criminal charges.

“I think it’s important to highlight, before anything else, just how close we came to a significant miscarriage of justice here,” he said.

The firm that oversaw the review into the disputed emails, Niche Consult, has been paid around £5m by NHS England since it began its work at UHMBT.

Governor resigns

Computer Weekly can reveal that one governor, herself an ex-whistleblower at UHMBT, has resigned over an alleged lack of transparency she says the governors have encountered when attempting to get answers to their questions on Duffy and the emails.

Más contenido para leer:  Rolls-Royce looks at viability of quantum computing in nuclear safety

Sue Allison stepped down from the trust on Tuesday 30 May, citing a bullying culture and the lack of change at UHMBT since she reported patient safety concerns at its breast-screening clinic a decade ago.

She told Computer Weekly that she and other governors had been “suppressed” when asking questions of the trust over the emails and Niche Consult’s review.

She said there was a particular obligation on Niche Consult to be transparent and accountable about its work at UHMBT, given its investigation had been funded by the taxpayer and there was a considerable public interest in the case’s handling for health-service users across the UK.

The firm that oversaw the review into the disputed emails, Niche Consult, has been paid around £5m by NHS England since it began its work at UHMBT.

Tampering

Duffy alleges that the trust’s official IT record was tampered with. He claims that the disputed email correspondence, which concerns key decisions taken about an elderly patient’s care, was falsified and backdated.

Picture of Sue Allison, an ex-whistleblower at UHMBT, who resigned from the trust’s board of governors last week, citing a bullying culture and the lack of change at UHMBT since she reported patient safety concerns at its breast-screening clinic a decade ago

Sue Allison, an ex-whistleblower at UHMBT, resigned from the trust’s board of governors last week, citing a bullying culture and the lack of change at UHMBT since she reported patient safety concerns at its breast-screening clinic a decade ago

The disputed emails relate to the care received by the late Peter Read, an elderly man from Morecambe who died as a result of sepsis at the Royal Lancaster Infirmary in January 2015.

Read’s treatment, which was at the centre of Duffy’s whistleblowing at UHMBT, became the “index case” in the investigation ordered by NHS England and carried out by Niche Consult into the trust’s urology unit.

The probe identified 19 “missed opportunities” in the string of clinical errors that led to Read’s death – one of more than 500 cases in which patients were found to have suffered “actual or potential harm” at UHMBT’s urology department.

The trust, NHS England and Niche Consult – a private firm hired to investigate the trust’s urology services – have maintained that the emails are genuine since they first appeared in 2020. An NHS England spokesperson said two unnamed companies Niche Consult subcontracted to examine Duffy’s email falsification claims undertook “a cyber security assessment, comparison with contemporaneous server logs, and a review of the internet headings”. The spokesperson added that “no evidence” of tampering was found by the two unnamed firms.

Forensic evidence

Two leading experts have pointed out that analysis of the emails’ full database archive and headers would be needed to pass muster in a court setting.

Peter Sommer, digital forensics expert and visiting professor at Birmingham City University, told Computer Weekly that analysis of the full database archive would be “needed” to determine whether tampering of the official NHS IT record had taken place.

“For many years now, email programs have stored emails not as individual items but within a database,” he said. “The purpose is to make it much easier for users to find old emails of interest. In a forensic and litigation situation, what is needed is the full database archive. That makes it much more difficult for inconvenient items to be lost or content to be tampered with.”

Más contenido para leer:  Cinco consejos para asegurarse de que su plan de comunicaciones en caso de crisis esté listo para un ciberataque

Ross Anderson, chair of the Foundation for Information Policy Research and a professor at the University of Cambridge, also said full disclosure of the email headers and metadata was needed to adequately determine whether falsification had taken place.

He told Computer Weekly: “When doing email forensics, you look at all the headers in detail. They’re very complicated and you need specialist knowledge to understand them all. For that reason, they’re fiendishly difficult to forge well enough to fool a real expert.”

Sommer highlighted the lack of robust evidence in the copies of the emails supplied to the GMC, which were in the form of PDF files, adding that Niche would likely be required to disclose its unpublished IT report if any proceedings against Duffy were to be taken forward.

“The PDFs used in this situation are particularly weak as evidence,” he said. “They don’t even include the ‘source’ or header data, which must have been in the original and is an essential tool for spotting forgery. The international standards are: IETF RFC 2076, 2156, 5322.

“The unpublished IT report from the two unnamed cyber security companies should surely fall to be disclosed in any regular civil litigation.”

The GMC’s tribunal process is, however, not subject to the same rules as regular court disputes.

Anderson also said: “The normal practice in a trial is for the best evidence, i.e. the full emails, to be provided to the other side, so that their expert can examine them.

The medical regulator noted in its review that it did not hire independent IT experts to review evidence in relation to the emails’ authenticity.

Full disclosure

Former governor Sue Allison said the lack of transparency from the NHS in Duffy’s case raised serious questions.

“Vast sums of public money have been spent here,” she said. “If neither we nor the family can see these reports or get answers to some of these questions, then I think it sets a really dangerous precedent for future investigations of this kind. It goes completely against the ethos of the NHS.”

In an October 2022 letter sent by the trust’s chair, Mike Thomas, Allison and two colleagues were told to stop emailing questions about Duffy and UHMBT’s urology service.

“It was agreed at the session with Mary Ann Bruce [of Niche Consult] that no further questions regarding urology would be raised until completion of phase 5 of the Niche investigation, which will be commencing in the next few weeks,” Thomas said in his letter to Allison.

Thomas accused the trio of “hampering the board and the council of governors” through their emailed questions and asked them to “refrain” from making further enquiries around urology and other services.

Allison also said governors have been ordered to use only UHMBT email accounts to discuss these matters.

Niche produced two reports – one into the care Read received at UMBHT, and one into the provenance of Duffy’s email. It has supplied confidential copies of the reports to Read’s family and to Duffy.

Más contenido para leer:  Se observan más ataques de ingeniería social a proyectos de código abierto

But Read’s daughter, Karen Beamer, told Computer Weekly that Niche and NHS England were withholding the reports from the trust’s elected governors and from the wider public against the family’s wishes.

“If you believe in the strength of your evidence, you hand it over and you stand over it,” she said. “Nobody ever had the original ‘source’ of those emails.”

Further questions

Duffy said that “an at-times Kafkaesque” quasi-judicial process had been hanging over him for nearly two-and-a-half years due to the way the disputed emails were handled.

He added that a number of crucial questions surrounding the emails’ authenticity had not been adequately addressed by Niche, NHS England or the trust.

One “anomaly” the GMC highlights in its decision letter is that one of the two emails in question, dated 29 December, “appeared” in the inbox of UHMBT’s head of urology, Colin Cutting, “three days before it was sent”.

The GMC’s decision letter reads: “Dr Cutting has given evidence that the email dated 29 December appeared in his inbox dated 26 December (three days before it was sent).

“We have had sight of screen shots of this email showing the date discrepancy. This differs to the email contained in the inbox of others, which is dated 29 December. We are not aware of any explanation having been provided to explain this anomaly.”

Other senior medics copied into the emails said they have no recollection of having received them, nor of a phone call on an urgent stent change that is cited in the second of the two emails.

Duffy also pointed out that the trust combed through 3,000 departmental emails for the 2018 tribunal hearing that considered his constructive dismissal claim against UHMBT.

The judge in that case ordered that all communications and correspondence relating to Read’s care be handed over to the tribunal.

But the two emails in question were not disclosed during those proceedings – in spite of the court order.

Aaron Cummins, UHMBT’s CEO, confirmed to Duffy earlier this year that the trust had not informed Niche Consult that the emails had not been disclosed to the tribunal during its 2019-2021 investigation into the trust’s urology services.

Microsoft 365

NHS England, responding on behalf of Niche Consult, said the reason the two emails were not found earlier was that UHMBT upgraded its IT systems to Microsoft 365 at some point between 2018 and 2020.

Through Microsoft 365’s more advanced search function, NHS England’s spokesperson said the emails could finally be retrieved.

NHS England also said Niche hired “two independent cyber security firms” to review Duffy’s email falsification allegations.

The GMC decision letter notes that only one company held expertise in cyber security, with the other firm “having a background in audit”.

Through NHS England commissions, Niche was paid a total of £1.26m in 2019/20 – the year it began its investigation. The firm was then paid £1.98m in 2020/21 and £1.94m in 2021/22.

NHS England has refused to disclose whether it has other contracts with Niche, or to disclose how much it has paid…

Nuestro objetivo fué el mismo desde 2004, unir personas y ayudarlas en sus acciones online, siempre gratis, eficiente y sobre todo fácil!

¿Donde estamos?

Mendoza, Argentina

Nuestras Redes Sociales