Aneurin Bevan Health Board (ABHB), a Welsh health board, has become the first NHS organization to be fined under the Data Protection Act. Based on the number of breaches that the NHS has been reporting over the years, it’s surprising that this hasn’t happened sooner. For example, plenty of USB memory sticks, external hard drives, and laptop computers that were not protected with full disk encryption like AlertBoot have been lost or stolen over the years.
In the ABHB case, the cause of the breach defies belief: a mistake in spelling a patient’s name, and a secretary that apparently just stabbed a guess at what the name might be.
£70,000 for One Man’s Report
ABHB was fined £70,000 after sending a patient’s health report to the wrong person. The incident took place in March of last year, which beckons the question: why is ABHB being fined now?
According to various sources, the breach’s Rube Goldberg machine-like series of events began with a doctor (in some cases, a consultant) emailed a letter to a secretary for formatting. In the letter, the patient’s name was misspelled, as well as spelled correctly. The letter, however, did not contain enough information for the secretary to identity the patient.
At this point, one would imagine the secretary emailing the doctor and asking him/her to identify the patient. But, no, the report was sent to another patient with a similar name.
According to guardian.co.uk,
Stephen Eckersley, the ICO’s head of enforcement, said the mistake could have been prevented if the information had been checked before being sent out.
Even more worrisome,
An investigation by the ICO found neither member of staff had received training in data protection and there were inadequate checks in place within the board to ensure personal information was only sent to the correct recipient.
These poor practices were also used by other clinical and secretarial staff across the organisation. [bbc.co.uk, my emphasis]
A spokesman for ABHB had this to say:
We have 14,000 staff and have hundreds of thousands of contacts with patients each year, with systems in place to discharge these patient contacts confidentially,” said the spokesman….
This was a genuine and unintended individual error, which was self-reported by the organisation to the information commissioner, because of the importance the health board places on information governance and in line with the commissioner’s own guidance. [bbc.co.uk]
While I don’t doubt that ABHB places a lot of emphasis on patient data security, and that it has systems in place…well, it doesn’t do one much good if they’re upended by something so simple as not checking on who the patient is, does it?
Consider, for example, a letter that addresses both a “Mr. Brown” and a “Mr. Browne.” Are you just going to gloss over the difference in spelling? Which one is the misspelled name? The right move would be to get back to the original person who wrote the missive.
The Road to Hell is Paved with Good Intentions
And the road to data breaches is paved with “genuine and unintended individual errors.”
For example, what is the claim that is generally made when a laptop computer with sensitive data goes missing? That it was an unintended error. A one-time mistake. Won’t happen again. They had systems to ensure “certain things don’t happen.”
But did they use medical data encryption software, which pretty much guarantees that “certain things don’t happen”? No, of course not. And yet, an organization finds itself “disappointed” to be fined under the law.
While it might be a poor comparison, take this example. If you purposefully run over someone with your car, that is murder. If you run over someone without the intention of killing that person, it’s manslaughter. Whatever the intention may have been, both are followed with punishment because real harm was done.
I don’t see why it should be any different for data breaches.
Related Articles and Sites: