BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Staffordshire NHS trust fined thousands over patient data breach

From: Erica Absetz <erica () riskbasedsecurity com>
Date: Thu, 13 Jun 2013 10:14:40 -0500
http://www.publicservice.co.uk/news_story.asp?id=23190

An NHS trust in Staffordshire has been hit with a £55,000 fine after a
serious data breach in which it mistakenly sent sensitive medical
details to a member of the public, the Information Commissioner's
Office has confirmed.

North Staffordshire Combined Healthcare NHS Trust faces the penalty
after records on three patients were faxed to the wrong number.

The records, showing patients' names, addresses, medical histories,
and details of their physical and mental health, should have been
faxed to the trust's Wellbeing Centre, which provides psychological
therapies.

But on three occasions the fax number was incorrectly dialled, leading
to a member of the public receiving the material.

Guidance on phoning ahead of faxes had not been communicated to the
staff involved and they had received no specific training on the
secure use of fax machines, the ICO added.

"Let's make no mistake, this breach was entirely avoidable," said
enforcement group manager, Sally Anne Poole.

"One phone call ahead to the trust's Wellbeing Centre would have
alerted its staff to the fact that the number they were entering was
incorrect. This would have stopped highly sensitive information about
the care of vulnerable people being sent to a member of the public on
three separate occasions.

"This case should act as a warning to all organisations that routinely
send out sensitive personal information by fax. Make sure you have
appropriate procedures and controls in place, so that errors can be
spotted before it is too late."

This is the latest in a growing list of fines to be imposed on NHS
bodies for breaching the Data Protection Act, some of which have been
much larger. The ICO does have the power to fine up to £500,000 for
the most serious breaches.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.
Previous By Date Next
Previous By Thread Next

Current thread: