The UK’s Information Commissioner’s Office has assessed a monetary penalty of £90,000 on Central London Community Healthcare NHS Trust for erroneously sending 45 faxes with sensitive medical information. It’s one of those technological issues that cannot be prevented in any way or form with a technical solution: not VPN, not data encryption software, not DLP….guess humans as a weak link in the chain strikes again.
Recipient Finally Contacts Trust
The data mishap continued for three months until the mistaken recipient of the faxes contacted the NHS and alerted them of the data breach. In that time, 45 faxes with information on 59 different people were sent via the facsimile machine, including “their diagnoses and information about their domestic situations and resuscitation instructions,” according to guardian.co.uk.
The person who received the faxes had been shredding the electronic missives.
The ICO stated that,
“The fact that this information was sent to the wrong recipient for three months without anyone noticing makes this case all the more worrying.”
and the NHS Trust was fined because
The ICO said that the trust didn’t have enough checks in place to make sure that sensitive faxes went to the right people and it wasn’t training its staff adequately on data protection.
On the face of it, this sounds ridiculous. £90,000 because someone wasn’t calling up the other side and confirming the fax’s receipt? Turns out, though, that this is exactly what the NHS was doing. From the ICO’s monetary penalty write-up:
On or about 28 March 2011, an administrator at the Pembridge Palliative Care Unit (the “Unit”) received a verbal request from St John’s Hospice (the “Hospice”) to send their inpatient lists to an additional fax number to ensure that service provision was unaffected during the leave of absence of one of the out of hours doctors. The administrator then created a template/fax coversheet listing both numbers, and printed a number of copies for use when the inpatient lists were faxed to the Hospice.
A fax protocol had been agreed between the Hospice and the Unit whereby the administrator would telephone the Hospice to confirm whether the inpatient lists had been received and the Unit would confirm receipt. However, the administrator did not update the fax protocol with the second number or obtain approval from his manager.
The administrator at the Unit then sent the inpatient lists to the second fax number in addition to the agreed fax number provided by the Hospice. After each transmission the administrator telephoned the Hospice as agreed and on each occasion the Hospice confirmed they had received the fax. However, unbeknown to the administrator the Hospice was only confirming receipt of the inpatient list sent to the fax number contained in the fax protocol and not the second fax number. As a result, the administrator continued to send the inpatient lists to the second fax number.
Does the £90,000 penalty sound fair? Granted, the incident was on-going for three months, and chances are that it wouldn’t have stopped had the erroneous recipient not called up the NHS to alert them of their mistake. But, it seems like such a small mistake that anyone could make.
And, yet, I’m left with an odd taste in my mouth. Assuming the above “administrator” is the same person throughout the ICO’s write-up, what does it matter that the fax protocol was never updated? The same person who added the second fax number to the coversheets is the same person who ended up faxing them.
Would it have killed him to ask “did you get the faxes sent to both numbers?”
Trust Challenges Penalty
Central London Community Healthcare NHS is not taking on the penalty handed out by the ICO:
But despite accepting that the breach was “hugely regrettable”, the trust is making a legal challenge against the ICO’s penalty.
“We deeply regret that the Information Commissioner has decided to impose a fine and so we have instructed our lawyers to commence an appeal against this,” a spokesman for the trust said.
“We consider that the commissioner has acted incorrectly as a matter of law and so we have no alternative but to bring an appeal.” [publicservice.co.uk]
The challenge is a rare one. I dimly remember one previous challenge — although I can’t find a record of it, so I could be imagining things — so this is either the first or second such challenge since the ICO gained the power to issue monetary fines to violators of the Data Protection Act.
The challenge is also curious. Many complain that the fines assessed on such public bodies is ridiculous because (1) it’s an indirect tax on people, possibly on those who were affected by the data breach and (2) it doesn’t directly affect the people in charge at the NHS, meaning it’s not much of a deterrent.
On the face of it, it makes sense. But here we have a NHS Trust that, quite contrary to being blasé about the fine, is willing to fight it. Makes one wonder why? What’s the motivation?
Related Articles and Sites: