NHS trust fined £60k for 'distressing' data breach
12 July 2012
St George's Healthcare NHS Trust has become the latest NHS body to face a monetary penalty from the Information Commissioner after it sent sensitive medical information on a vulnerable patient to the wrong address.
The London trust has been fined £60,000 by the Information Commissioner's Office for the data breach which the regulator said was both "distressing" for the individual concerned and also "avoidable".
Two letters sent were sent out in May 2011 to an address that the individual had not lived at for nearly five years. This was despite the fact that staff had been given the correct current address, which was also logged on the NHS SPINE national care records service.
NHS staff failed to use the address that had been supplied to them before the patient's examination, and they also failed to check their local database against information held on SPINE.
A prompt had even been set up to remind staff to check and update patient records against SPINE. This prompt could however be bypassed - something the trust knew about before the breach.
"It's hard to imagine a more distressing situation for a vulnerable person than the thought of their sensitive health information being sent to someone who had no reason to see it," said Stephen Eckersley, the ICO's head of enforcement.
"This breach was clearly preventable and is the result of the trust's failure to make sure the contact details they have for their patients are accurate and up to date."
The ICO has now issued four fines to NHS bodies in the past two months, the largest
of which stands at £325,000.
But even higher fines can be issued and the regulator has the power to issue penalties of up to £500,000 for serious breaches of the Data Protection Act.
Information Commissioner Christopher Graham has previously warned of a "systemic" problem in the health service.
And there are now fears from within the NHS that things could soon get worse as a result of Andrew Lansley's controversial health reforms.
Robin Smith, an NHS information governance manager, told Publicservice.co.uk in May that an increased reliance on third party suppliers could result in an "epidemic of data breaches"
Responding to the latest fine a spokesman for St George's Healthcare NHS Trust said that they accepted the penalty and that the trust had "sincerely apologised to those affected for the distress the incident has caused".
"As soon as we discovered this mistake we reported it to the ICO and contacted those affected to explain what had happened," the spokesman said.
"We launched an immediate investigation and have introduced a number of measures to help prevent similar incidents in the future, including clearer documentation and additional training for staff. We have also made improvements to our information systems to ensure that our staff always have access to the most up to date patient contact details."