The Information Commissioner’s Office (ICO) has fined the Central London Community Healthcare (CLCH) NHS Trust £90,000 for a serious breach of the data protection act (DPA).
The ICO said the first breach occurred in March last year, when patient lists from the Pembridge Palliative Care Unit, which were supposed to be sent to St John’s Hospice, were faxed to the wrong recipient.
In total the sensitive information was sent to the wrong person 45 times during a three-month period. The recipient informed the Trust in June last year that they had been receiving the faxes but had shredded them. The data controller at the Trust was unable to trace this individual, the ICO said.
The information included sensitive personal data relating to 59 individuals, said the ICO, and contained details such as medical diagnoses and information relating to their domestic situations and resuscitation instructions.
The ICO’s investigation found multiple failings by the Trust. The decision to fax the patient information from Pembridge Palliative Care Unit to an additional number at St John’s Hospice was taken to ensure the information got through when one of the out of hours doctors was on leave.
A process was already in place for the Hospice to confirm it had received the original list, but this protocol was not updated to include the second, additional fax number, the ICO said. This meant they continued to be sent to the wrong recipient.
The member of staff had also not been given suitable training for handling sensitive information.
The Trust has now stopped sending faxes containing sensitive patient information and will look into more secure methods of transferring data, such as secure email.
"Patients rely on the NHS to keep their details safe. In this case Central London Community Healthcare NHS Trust failed to keep their patients sensitive information secure," said Stephen Eckersley, the ICO’s Head of Enforcement.
"The fact that this information was sent to the wrong recipient for three months without anyone noticing, makes this case all the more worrying," he added.
It is the second fine levied at an NHS organisation this year. In April, the Aneurin Bevan Health Board was fined £70,000 after a series of errors resulted in a report, which contained sensitive information relating to a patient’s health, being sent to the wrong person.
