ICO fines Welsh health board £70,000 for patient record loss

For the first time, the ICO fines an NHS organisation for sending patient data to the wrong person.

The UK Information Commissioner’s Office (ICO) has fined a National Health Service (NHS) organisation for breaching a patient’s data privacy. The action marks the first time the ICO has used its authority to issue a financial penalty on an NHS organisation following the loss of sensitive data.

On April 30, the ICO fined the Welsh Aneurin Bevan Health Board (ABHB) £70,000 after a report containing explicit details relating to a patient’s health was sent to the wrong person. The ICO found ABHB did not have suitable checks in place to keep sensitive information secure.

The ABHB reported the breach to the information commissioner. Julian Hayman of the ABHB’s corporate affairs department, said ABHB was “disappointed that a financial penalty has been applied.”

“The Health Board personally approached the patient concerned prior to contacting the Information Commissioner in order to apologise for the breach and to ensure the patient was fully aware of the breach and the action we were taking to respond,” Hayman said.

In a written statement, Stephen Eckersley, the ICO’s head of enforcement, said: “We are pleased that the Health Board has now committed to taking action to address the problems highlighted by our investigation; however, organisations across the health service must stand up and take notice of this decision if they want to avoid future enforcement action from the ICO.”

This relatively steep fine for a breach of a single individual's data will give health care organisations added reason and possibly budget to correct [poor information security] faults.
SA MathiesonKable

The ICO's action comes at a time when the European Union (EU) is working to tighten data protection laws. The made specific reference, for the first time, to health-related data in its 2012 proposal for a new data protection regulation (.pdf). These developments are seen as warnings to organisations in the health care sector that they must do more to protect patient data.

Some observers believe the ICO fine is a shot across the bow of the health care sector that will force health care organisations to spend more to better secure patient data.

“The ICO has reprimanded a string of NHS organisations for poor information security over the last few years, but this has formerly resulted in nothing more than a smack on the wrist,” said SA Mathieson, senior health care analyst for public sector market intelligence provider Kable in London. “However, this relatively steep fine for a breach of a single individual's data will give health care organisations added reason and possibly budget to correct such faults.”

Mik Horswell, marketing and communications director for the UK Council for Health Informatics Professions, said, “This is not the first time that a health care organisation has been in trouble for a data confidentiality breach, just the first time the new powers to [issue a] fine have been invoked.”

Horswell believes the NHS is vulnerable to human error causing breaches of data security. “The one huge weakness of the NHS is that it is a people-based organisation with around 1.4 million staff providing services to millions of people every year,” Horswell said. “With the best will in the world, it is possible for mistakes to happen.

“This is not to make excuses for poor practice, but it does rely on avoiding human error at a time when there are significant organisational changes taking place and public spending cuts are being forced by the recession,” Horswell added.

Horswell pointed out the EU proposal to tighten data security may be a long time coming as, once agreed, it will have to be enacted into UK legislation.

Meanwhile, Horswell believes ICO fines can have a positive effect on health care data security.

“Highlighting breaches like this does have a positive effect on other organisations in terms of realising the dangers inherent in handling people's personal data,” he said.

Read more on Data breach incident management and recovery