ICO hits first NHS organisation with monetary penalty for data breach

April 30, 2012

The Information Commissioner’s Office has issued its first monetary penalty on an NHS organisation and fired a warning to other bodies in the sector to “stand up and take notice” if they want to avoid future enforcement action.

The ICO, which has served more than £1m in penalties on councils since gaining extended powers in April 2010, has ordered the Aneurin Bevan Health Board (ABHB) in Wales to pay £70,000.

The fine was levied after a sensitive report was sent to the wrong person. According to the ICO, the report contained explicit details relating to the health of a patient who had had dealings with a consultant over a five to six-month period.

The incident occurred when the consultant emailed a letter to secretary, but failed to include sufficient information for the secretary to identify the correct patient. The doctor had also misspelt the patient’s name at one point.

The letter did not identify the patient by way of an address or a unique identifier such as the patient’s hospital number or NHS number.

The secretary was used to working in this way and simply relied on the electronic patient record system to provide details of the patient.

However, the lack of identifiers meant the report was sent in March 2011 to a former patient with a very similar name.

The ICO’s investigation found that:

There was an “absence of robust systems”;
Neither member of staff had received data protection training;
ABHB did not have adequate checks in place to ensure personal information was sent to the correct person;
These practices were used by other clinical and secretarial staff across the organsiation.

The watchdog concluded that there had been a serious breach of the Data Protection Act.

Aggravating factors that affected the amount of the penalty included the fact that the recipient had read the letter and the ABHB’s failure to provide the ICO with timely responses to its enquiries.

In terms of mitigation, the watchdog acknowledged that this was a ‘one-off’ incident as far as it was aware. The incident had also been voluntarily reported to the ICO and the Board had been “generally co-operative”.

The ABHB has signed an undertaking to tackle the issues raised by the ICO following its investigation. This includes providing staff training, monitoring of compliance, and the introduction of new checking processes before personal information is sent out.

Stephen Eckersley, the ICO’s Head of Enforcement, said: “The health service holds some of the most sensitive information available. The damage and distress caused by the loss of a patient’s medical record is obvious, therefore it is vital that organisations across this sector make sure their data protection practices are adequate.

“Aneurin Bevan Health Board failed to have suitable checks in place to keep the sensitive information they handled secure. This case could have been extremely distressing to the individual and their family and may have been prevented if the information had been checked prior to it being sent.”

In January this year it was revealed that the ICO was proposing to levy a £375,000 penalty on Brighton and Sussex University Hospitals after hard drives were sold on eBay. However, the trust's chief executive said it would be challenging the fine and the ICO has yet to reveal the outcome of the case.

Philip Hoult