recent work

NHS receives first fine for data breach

Aneurin Bevan Health Board (ABHB), in Wales, has been fined £70,000 after a hospital accidently sent a patient’s health details to the wrong person.

The incident happened after a consultant sent a letter to a medical secretary to be formatted, but omitted to identify a patient number, and spelt the name incorrectly. As a result, the secretary chose the wrong patient to send the letter to (although they had a similar name) – the wrong patient then read the letter.

“The health service holds some of the most sensitive information available. The damage and distress caused by the loss of a patient’s medical record is obvious, therefore it is vital that organisations across this sector make sure their data protection practices are adequate,” ICO enforcement chief Stephen Eckersley said in a statement.

It was discovered that data protection training hadn’t been given to neither the consultant nor the medical secretary – nor were adequate checks put in place by ABHB to stop such an incident occurring.

Stephen Eckersley, of the ICO said: “Organisations across the health service must stand up and take notice of this decision if they want to avoid future enforcement action from the ICO….this case could have been extremely distressing to the individual and their family and may have been prevented if the information had been checked prior to it being sent. Organisations across the health service must stand up and take notice of this decision if they want to avoid future enforcement action from the ICO.”

Pertinently, although this is the first fine levied on an NHS organisation, “the data protection watchdog is still considering other fines for similar bodies”.

The Brighton and Sussex University Hospitals NHS Trust is facing a much weightier £375k fine after a contractor it employed to destroy hard drives sold them on eBay instead. The drives contained patient data.However, the ICO has not yet given a final decision on that fine, as it is still in discussions with the trust.