A severe security alert has been issued over confidential NHS medical records of every Birmingham patient being left open to breach, the Birmingham Post can reveal.

The National Information Commissioner has ordered an investigation into access of IT files held by Birmingham Primary Care Shared Services Agency, which holds all staff and patient files for the city’s three primary care trusts(PCTs) plus all GP surgeries.

The highest level of Serious Untoward Incident - level five - has been issued over the computer network allegedly being left repeatedly compromised and insecure, an insider said.

All patient data along with staff pay and personal details up to chief executive level are believed to have been left accessible to more than 6,000 NHS workers who normally would not be allowed access to such private material.

Health chiefs for the city now face a maximum fine of £500,000 if the Information Commissioner finds the NHS in breach of the Data Protection Act.

The city has a population of around one million and anyone registered with a GP across Heart of Birmingham, South or Birmingham East and North PCTs, which is the majority of the population, would be affected.

A NHS source, who feared being named, claimed members of the public using computers at some health sites, like Moseley Hall Hospital, would also have been able to access the insecure confidential records.

He added that initial quotes to repair the servers were as high as £1million.

“All financial and patient data, emails and GP files have been compromised and insecure meaning anyone at the NHS community sites could access this data,” said the senior source.

“It has come out of a cavalier way of managing breaches and now the genie has been let out of the bag.

“Security to a network is the most serious issue you can get.”

Officials from neighbouring Wolverhampton PCT were drafted in to do an independent investigation into the issue in the past week.

Jonathan Tringham, Director of Resources at NHS Birmingham East and North, confirmed an investigation was under way and said: “This incident concerned staff access only and not access by the general public or other external bodies.

“This has been reported to the Information Commissioner and a review of all IT files and permissions has been launched.

“Documents with patient identifiable data were potentially available to staff across the three trusts. At no point were patient records accessed inappropriately. Measures exist to ensure staff are aware of and comply with all policies and legislation on confidentiality and data protection.

“We are currently working through our plans and the cost of rectifying the issue is being assessed. We anticipate much of the work will be done without extra cost to the PCTs.

“The contract of the Interim Director of the Birmingham Primary Care Shared Services Agency has come to an end.”

He added: “Staff are given access to documents and files based on their roles and we have undergone a wide-scale review of file permissions to ensure that they remain appropriate.

“The PCTs take any information security incidents very seriously and are committed to ensuring IT networks and patient data are secure.”

This latest incident comes after the Information Commissioner’s Office gave Birmingham Children’s Hospital an official warning in July after videos and medical notes of 17 sick children ended up in the hands of criminals who stole two laptops with unencrypted information.