A Welsh health board has become the first NHS organisation to receive a financial penalty from the Information Commissioner’s Office (ICO) for a serious breach of the Data Protection Act (DPA).
The ICO has fined the Aneurin Bevan Health Board (ABHB) £70,000 after it sent a report containing sensitive information about a patient’s health to the wrong person.
The data breach occurred when a consultant emailed a letter to a secretary for formatting, printing and posting, but did not include enough information – such as an address or NHS number – for the secretary to identify the correct patient. The doctor also used two different spellings of the patient’s surname in the same letter. These errors led to the report being sent to a former patient with a similar name in March 2011, as the secretary simply relied on the electronic patient record system to provide the patient’s details.
An ICO investigation found that data protection training was lacking for both clinical and secretarial staff at the organisation. It also found that ABHB did not have adequate controls in place to ensure that personal information was sent to the right person.
The ICO decided that the breach was serious enough to warrant a financial penalty “because the measures did not ensure a level of security appropriate to the harm that might result from such unauthorised processing and the nature of the data to be protected”.
Stephen Eckersley, the ICO’s head of enforcement, said: “Aneurin Bevan Health Board failed to have suitable checks in place to keep the sensitive information they handled secure. This case could have been extremely distressing to the individual and their family and may have been prevented if the information had been checked prior to it being sent.
“We are pleased that the health board has now committed to taking action to address the problems highlighted by our investigation. However, organisations across the health service must stand up and take notice of this decision if they want to avoid future enforcement action from the ICO.”
ABHB has signed an undertaking to ensure that all staff are trained on the organisation’s policies on storage and use of personal data. It will also regularly monitor compliance on policies on data protection and IT security, and checking processes will be introduced to confirm a patient’s identity before personal information is sent out.
The fine is due to be paid by 24 May at the latest, but if the board pays in full by 23 May, the penalty will be reduced by 20 percent to £56,000.
Other organisations that have received monetary penalties from the ICO for serious breaches of the DPA include Cheshire East Council, after it sent an email containing personal information about an individual of concern to the police to 180 unintended recipients, and North Somerset Council, which sent five emails containing confidential information to the wrong NHS employee.