The Information Commissioner’s Office (ICO) has fined the Aneurin Bevan Health Board after a serious breach of the Data Protection Act. It is the first time it has levied a financial penalty against an NHS organisation.
The Aneurin Bevan Health Board (ABHB) was fined £70,000 after a series of errors resulted in a report, which contained sensitive information relating to a patient’s health, being sent to the wrong person.
The first error occurred when a consultant emailed a letter to a secretary for formatting but did not include enough information in the letter to enable the secretary to correctly identify the patient, such as an address or NHS number.
The consultant also misspelled the patient’s name at one point, which meant the report was then sent to someone with a very similar name. The person who received the report later confirmed she had read it.
According to the ICO, neither the consultant nor the secretary had received data protection training and ABHB did not have adequate procedures in place to make sure that personal information was sent to the correct person. These poor practices were also used by other clinical and secretarial staff across the organisation, the ICO said.
"Aneurin Bevan Health Board failed to have suitable checks in place to keep the sensitive information they handled secure," said Stephen Eckersley, the ICO’s Head of Enforcement. "This case could have been extremely distressing to the individual and their family and may have been prevented if the information had been checked prior to it being sent."
ABHB has signed a commitment to improve training for staff in protecting patient’s personal data. New checking procedures will also be introduced across the organisation.
This is the first time an NHS organisation has been fined by the ICO, although Brighton and Sussex University Hospitals NHS Trust is facing a potential fine of £375,000 after 232 hard drives containing sensitive patient information were stolen. That Trust is currently contesting the fine.
The ICO has been very active so far this year, fining a number of councils for breaches of the DPA. This includes a record fine of £140,000 for Midlothian Council following five data breaches that the ICO described as "serious," relating to the disclosure sensitive personal data relating to children and their carers to the wrong recipients.
Cheshire East Council was fined £80,000 for a blunder which saw police concerns about an individual working in the area emailed to the wrong recipients, while two more councils – Croydon Council and Norfolk County Council – were fined for failing to keep highly sensitive information about the welfare of children secure.
More recently the ICO confirmed it would look into allegations that the personal details of participants in the London Marathon were accidentally published on the organiser’s website.
