Inaccurate records costs NHS body £60,000 for sensitive data breach

Out-Law News | 13 Jul 2012 | 10:05 am | 1 min. read

A health body has been fined £60,000 after two letters containing "confidential and highly sensitive personal data" about a "vulnerable individual" were sent to the wrong address.

St George’s Healthcare NHS Trust in London failed to keep details of the individual's home address up to date on its database so staff mistakenly sent out the letters to their old address, the Information Commissioner's Office (ICO) said. The watchdog deemed the incidents to be a serious breach of the Data Protection Act (DPA) and served the Trust with a monetary penalty notice (12-page / 1.55MB PDF).

The letters had contained information about the individual's medical history, details and findings of a physical examination that had been undertaken on them, a medical opinion on the findings and "microbiology results" relevant to the individual.

"It’s hard to imagine a more distressing situation for a vulnerable person than the thought of their sensitive health information being sent to someone who had no reason to see it," Stephen Eckersley, the ICO’s head of enforcement, said in a statement. "This breach was clearly preventable and is the result of the Trust’s failure to make sure the contact details they have for their patients are accurate and up to date."

The ICO said the breach occurred because St George's patient administration programme had "not been aligned" with the national care records service (SPINE). This meant staff had not been prompted to check that the individual's address was correct. The SPINE records contained the up-to-date address and had done since 2006, it said.

Staff at St George's also failed to "verbally check the address" with the individual or match the address with the address listed on the patient's "original referral form", the ICO said. The individual's medical records were also "incorrectly made up" and meant staff could not check the "patient demographic front sheet" and spot the discrepancy, it added.

Under the DPA organisations in control of personal data are required to take "appropriate technical and organisational measures ... against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data". The Act requires organisations to be extra protective over sensitive personal data, such as patient medical records.

Under the DPA organisations are also required to keep accurate and, where necessary, up to date records of personal data.

The ICO has the power to issue penalties of up to £500,000 for serious data breaches of the DPA. St George's is the fifth health sector body that the ICO has served with a monetary penalty notice for a breach of the DPA this year.