NHS trust in London becomes fifth health body to receive ICO fine

St George’s Healthcare NHS Trust in London has become the fifth NHS body in under three months to be hit with a significant fine by the Information Commissioner’s Office for a breach of data protection laws.

The monetary penalty was imposed on the trust after a vulnerable individual’s sensitive medical details were sent to the wrong address.

St George’s sent the information in two letters in May 2011. The letters were addressed to the correct recipient, but used an old address even though the individual had not lived at that property for almost five years.

In the course of its investigation, the ICO found that staff at the trust had been provided with the person’s current address before a medical examination had taken place. The correct address had also been added onto the national care records services, known as NHS SPINE, in June 2006.

The security breach occurred because iClip (the local patient administration programme) had not been aligned with SPINE.

“The mistake was made after the Trust’s staff failed to use the address supplied before the examination, or check that the individual’s recorded address on their local patient database matched the data on the SPINE,” the ICO said.

The watchdog added that the Trust had set up a prompt to remind staff about the need to check and update patient information against SPINE.

“However the Trust knew the prompt could be bypassed and failed to take action to address the problem until it was too late,” it said.

St George’s has taken remedial action to ensure that the personal information they handle is kept secure. “This includes making sure adequate checks are in place to ensure that local information the trust has for patients is correct, by cross checking that information against SPINE and other relevant sources,” the ICO said.

The previous NHS bodies to have been fined are:

  • Belfast Health and Social Care Trust (June 2012): £225,000. This case centred on data breaches from a disused site owned by the trust. 
  • Brighton and Sussex University Hospitals NHS Trust (June 2012): £325,000. This was after more than 200 hard drives containing patient and staff data were discovered to have been sold on eBay.
  • Central London Community Healthcare NHS Trust (May 2012): £90,000. This followed the sending of patient data from a palliative care unit to the wrong recipient.
  • Aneurin Bevan Health Board (April 2012): £70,000. This was levied after a sensitive report was sent to the wrong person. 

Brighton and Sussex University Hospitals Trust initially threatened to contest its monetary penalty, but decided last month to pay up by a deadline that reduced the amount to £260,000. 

The Central London Community Healthcare NHS Trust is understood to be continuing with its legal challenge

Commenting on the St George’s case, Stephen Eckersley, the ICO’s Head of Enforcement, said: “It’s hard to imagine a more distressing situation for a vulnerable person than the thought of their sensitive health information being sent to someone who had no reason to see it. This breach was clearly preventable and is the result of the Trust’s failure to make sure the contact details they have for their patients are accurate and up to date.

“It is vital that NHS organisations make sure they have the necessary measures in place to keep patients’ details secure.”

A spokesman for St George’s said it accepted the penalty imposed and had apologised to those affected for the distress the incident had caused.

He added: "As soon as we discovered this mistake we reported it to the ICO and contacted those affected to explain what had happened.

"We launched an immediate investigation and have introduced a number of measures to help prevent similar incidents in the future, including clearer documentation and additional training for staff. We have also made improvements to our information systems to ensure that our staff always have access to the most up to date patient contact details."  

Philip Hoult