We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Information Commissioner hands out first NHS fine

Inadequate systems and processes in place to ensure sensitive health information was sent to correct patient

A Welsh health board has become the first NHS organisation to receive a financial penalty from the Information Commissioner's Office (ICO) for a serious breach of the Data Protection Act (DPA).

The ICO has fined the Aneurin Bevan Health Board (ABHB) £70,000 after it sent a report containing sensitive information about a patient's health to the wrong person.

The data breach occurred when a consultant emailed a letter to a secretary for formatting, printing and posting, but did not include enough information - such as an address or NHS number - for the secretary to identify the correct patient. The doctor also used two different spellings of the patient's surname in the same letter. These errors led to the report being sent to a former patient with a similar name in March 2011, as the secretary simply relied on the electronic patient record system to provide the patient's details.

An ICO investigation found that data protection training was lacking for both clinical and secretarial staff at the organisation. It also found that ABHB did not have adequate controls in place to ensure that personal information was sent to the right person.

The ICO decided that the breach was serious enough to warrant a financial penalty "because the measures did not ensure a level of security appropriate to the harm that might result from such unauthorised processing and the nature of the data to be protected".

Stephen Eckersley, the ICO's head of enforcement, said: "Aneurin Bevan Health Board failed to have suitable checks in place to keep the sensitive information they handled secure. This case could have been extremely distressing to the individual and their family and may have been prevented if the information had been checked prior to it being sent.

"We are pleased that the health board has now committed to taking action to address the problems highlighted by our investigation. However, organisations across the health service must stand up and take notice of this decision if they want to avoid future enforcement action from the ICO."

ABHB has signed an undertaking to ensure that all staff are trained on the organisation's policies on storage and use of personal data. It will also regularly monitor compliance on policies on data protection and IT security, and checking processes will be introduced to confirm a patient's identity before personal information is sent out.

The fine is due to be paid by 24 May at the latest, but if the board pays in full by 23 May, the penalty will be reduced by 20 percent to £56,000.

Other organisations that have received monetary penalties from the ICO for serious breaches of the DPA include Cheshire East Council, after it sent an email containing personal information about an individual of concern to the police to 180 unintended recipients, and North Somerset Council, which sent five emails containing confidential information to the wrong NHS employee.


IDG UK Sites

Best Black Friday 2014 tech deals: Get bargains on smartphones, tablets, laptops and more

IDG UK Sites

What the Internet of Things will look like in 2015: homes will get smarter, people might get fitter

IDG UK Sites

See how Trunk's animated ad helped Ade Edmondson plug The Car Buying Service

IDG UK Sites

Yosemite tips: Complete Guide to OS X Yosemite