The UK's data protection watchdog has levied its first fine against an NHS organisation, after a Welsh hospital accidentally sent a patient's health details to the wrong person.
The Information Commissioner's Office (ICO) said on Monday that the Aneurin Bevan Health Board (ABHB) had been fined £70,000 over the incident, which took place when a consultant sent a medical secretary a letter for formatting, but without an identifying patient number. The doctor also misspelled the patient's name at one point.
When linking the letter to a patient in the hospital's records, the secretary chose the wrong patient, albeit one with a similar name. The report was then sent to that wrong patient, who read it.
"The health service holds some of the most sensitive information available. The damage and distress caused by the loss of a patient's medical record is obvious, therefore it is vital that organisations across this sector make sure their data protection practices are adequate," ICO enforcement chief Stephen Eckersley said in a statement.
The ICO found that neither the consultant nor the secretary had received data protection training, and that the ABHB did not have adequate checks in place to prevent this sort of incident from occurring.
The health board has now agreed to improve its processes.
Organisations across the health service must stand up and take notice of this decision if they want to avoid future enforcement action from the ICO.– Stephen Eckersley, ICO
"This case could have been extremely distressing to the individual and their family and may have been prevented if the information had been checked prior to it being sent," Eckersley said. "Organisations across the health service must stand up and take notice of this decision if they want to avoid future enforcement action from the ICO."
Although the ABHB case is the first where the ICO has levied a fine on an NHS organisation, the data protection watchdog is still considering other fines for similar bodies.
The Brighton and Sussex University Hospitals NHS Trust is facing a much weightier £375k fine after a contractor it employed to destroy hard drives sold them on eBay instead. The drives contained patient data.
However, the ICO has not yet given a final decision on that fine, as it is still in discussions with the trust.
The watchdog has reprimanded NHS organisations in the past, but without fines being levied.