NHS Hit With Its First Data Breach Fine

The NHS has been slapped with its first ever data breach fine, following numerous information handling blunders over the last few years.

The latest snafu saw the Aneurin Bevan Health Board (ABHB) in Wales hit with a £70,000 penalty after a sensitive report – containing explicit details relating to a patient’s health – was sent to the wrong person.

A consultant emailed a letter to a secretary for formatting, but did not provide the right information to make it clear who the correct patient was. A doctor also misspelt the name of the patient at one point, which led to a report on them ending up in the hands of a former patient with an “almost identical surname” in March last year.

‘Substantial distress’

The Information Commissioner’s Office (ICO) found numerous data protection issues at ABHB. Neither the secretary or the doctor had received data protection training, whilst there were no checks in place to ensure personal information was sent to the right person.

In its fine notice, the ICO said the “data subject would suffer substantial distress knowing that their confidential and sensitive personal data has been disclosed to a third party”.

“The damage and distress caused by the loss of a patient’s medical record is obvious, therefore it is vital that organisations across this sector make sure their data protection practices are adequate,” said Stephen Eckersley, the ICO’s head of enforcement.

“Aneurin Bevan Health Board failed to have suitable checks in place to keep the sensitive information they handled secure. This case could have been extremely distressing to the individual and their family and may have been prevented if the information had been checked prior to it being sent.”

ABHB told TechWeekEurope it accepted the ICO’s decision, adding it had acted promptly on the points raised by the watchdog. “We have reminded all staff involved in the communication of patient information of the importance of double checking unique individual details e.g. NHS number, date of birth etc,” a spokesperson said. “We have also apologised to both parties involved in this breach of confidentiality and are working directly with the patients affected. We wish to reassure all patients that we are committed to the protection of all clinical information.”

The ICO has been fairly lenient to NHS bodies before in cases where data has gone missing. Over the past few years, the NHS has been guilty of various data breach offences, leaving data sticks in car parks and CDs containing important information at bus stops, amongst other blunders.

Information commissioner Christopher Graham was in boisterous mood during the InfoSecurity Europe 2012 conference last week, saying the regulator should show its teeth. Yet he appeared more in favour of auditing than fining as a way to encourage good behaviour.

Graham said he would like to be able to audit the NHS without its consent – something the ICO cannot currently do.  “I absolutely haven’t got it in for the public service,” the commissioner said. “I would much rather audit than fine.”

To date all audits carried out by the ICO have been consensual. That includes the audit of Google that came after the company’s Street View cars had collected Wi-Fi payload data.

UPDATE: The Aneurin Bevan Health Board got back in touch with TechWeekEurope following publication to say it was “disappointed” it had been hit with a fine.

“This was a genuine and unintended individual error, which was self-reported by the organisation to the Information Commissioner, because of the importance the Health Board places on information governance and in line with the Commissioner’s own guidance,” a spokesperson said.

“The Health Board personally approached the patient concerned prior to contacting the Information Commissioner in order to apologise for the breach and to ensure that the patient was fully aware of the breach and the action we were taking to respond.

“The Health Board is disappointed that a financial penalty has been applied given that our last information governance review demonstrated independently how seriously the Health Board takes the protection of patient information.  This is also an area that we have invested time, attention and resources in since the start of the Health Board in 2009.”

Think you know security? Try our quiz!