NHS Highland has been reprimanded for a “serious breach of trust” after an error led to data on 40 patients linked to HIV treatment systems being leaked. Data watchdog the Information Commissioner’s Office (ICO) says the health service organisation must apply higher standards when protecting such sensitive data.
The ICO has chosen to implement the “public sector approach” in punishing the body, which is a reprimand instead of a £35,000 fine which would be issued to a private sector organisation for such a misdemeanour.
NHS Highland is the largest of 14 regional health bodies in Scotland, covering the care of 320,000 people.
NHS Highland data breach: patient information leaked
The breach occurred when NHS Highland sent an email to all of its HIV service patients which exposed details of the entire mailing list, giving patients access to names and emails.
The health service inadvertently used the carbon copy instead of blind carbon copy function in the email, leading some patients to recognise one another. One recipient confirmed they recognised four individuals, one of whom was a previous sexual partner.
Stephen Bonner, ICO deputy commissioner, expressed deep concerns over the lacklustre treatment of such sensitive data. “The stakes are just too high,” he said. “Research shows that people living with HIV have experienced stigma or discrimination due to their status, which means organisations dealing with this type of information should take the utmost care with their personal data.”
The highest standards must be set by the services when working with such potentially damaging data, he added. “Every HIV service provider in the country should look at this case and see it as a crucial learning experience. We are calling on organisations to raise their data protection standards and put the appropriate measures in place to keep people safe,” said Bonner.
Nearly one thousand of these so-called “non-cyber” breaches have been reported since 2019, the ICO says. “Under data protection law, organisations must have appropriate technical and organisational systems in place to ensure personal data is kept safe and not inappropriately exposed to others,” a statement said.
Data breaches in the NHS can be costly
NHS data leaks can be highly damaging. In February of last year, personal data from tens of thousands of people was leaked in a massive data breach that included details of medical procedures of adults and children.
This was leaked from a third-party supplier of patient letter print fulfilment and dispatch, PSL Print Management. The breach happened when an employee, who was in dispute with the company, requested all emails and texts related to their employment. They were instead sent a memory stick appearing to be full of the contents of the firm’s entire email server, featuring data apparently from patients.
In 2020, the NHS was penalised again for the breach of over 100 staff accounts. Some 113 NHS email accounts were compromised with phishing attacks.