The Information Commissioner’s Office (ICO) has issued three reprimands to public sector organisations for leaking NHS information through unsafe transfers of patient data.

ICO
ICO reprimands three institutions for leaking NHS data. (Photo by Ascannio/Shutterstock)

The trio of data breaches came at organisations in Northern Ireland and Scotland.

ICO reprimands UK institutions for leaking NHS data

In Northern Ireland, the Patient and Client Council (PCC), an independent body overseeing health and social care issues, and the Executive Office (EO), the department that oversees the running of the government, both illegally disclosed recipient details by using inappropriate group email options.

The PCC was found to have sent an email to 15 people across Northern Ireland, each of whom had lived experience of gender dysphoria, using the CC, rather than the BCC option, the ICO said. This meant all the recipients’ emails were on display. “Although the body of the email did not contain personal information, the people who received the email could reasonably infer that the other recipients also had experience of gender dysphoria, given their inclusion in the email,” the data watchdog said. 

The ICO has also rebuked Northern Ireland’s Executive Office for sending an e-newsletter concerning the Historical Institutional Abuse (HIA) Inquiry to 251 subscribers. The EO failed to appropriately mask the “to” field, divulging all of the subscribers’ information to each other. “It can be inferred that the people included in the email were likely to be victims and survivors,” of domestic abuse, the ICO said, “as the newsletter content was tailored to survivors who were wishing to engage, or who were already engaging, with the HIA Inquiry compensation scheme.”

NHS Lanarkshire in Scotland has also been in the ICO’s crosshairs after staff were discovered sharing patient information via WhatsApp. Between April 2020 and April 2022, 26 staff at the NHS trust had access to a WhatsApp group where patient data was entered on more than 500 occasions. “This data included names, phone numbers and addresses,” the ICO said. “Images, videos and screenshots, which contained clinical information, were also shared.”

A non-staff member was also added to the WhatsApp group in error, resulting in the inappropriate disclosure of personal information to an unauthorised individual.

Information Commissioner John Edwards said: “When accessing healthcare and other vital services, people need to trust that their data is in safe hands.”

NHS patient data leaks are commonplace

Data has also been leaking from other parts of the NHS. In March, NHS Highland was reprimanded by the ICO for a “serious breach of trust” after an error led to data on 40 patients linked to HIV treatment systems being leaked. The ICO said at the time that health service organisations must apply higher standards when protecting such sensitive data.

In June, over one million NHS records were leaked during a cyberattack on the University of Manchester. The data involved reports of major trauma patients across the country from over 200 hospitals.

The government has been aiming to improve data security in the health service, and last year released a strategy for how data will be used and managed in the NHS. Entitled Data saves lives, it “sets out plans to harness digital efficiency and data to improve outcomes, while maintaining the highest standards of privacy and ethics and taking targeted action to build public trust around how we use data in the NHS.” 

Read more: ICO probes 90 possible data breaches caused by Capita cyberattack