St George’s Healthcare NHS Trust in London, UK has been handed a monetary penalty notice for £60,000 after the medical establishment sent two letters to the wrong recipient. The root cause of the foul-up? The trust did not update the recipient’s address, so the letters were sent to the “wrong” address. It just goes on to show that data protection encompasses a wide swath, and attention must be paid to various aspects of the Data Protection Act. Loading up on data security tools like AlertBoot data encryption software for laptops and smartphones can only protect you so much.
Medical History and Details Sent
According to out-law.com, both letters, intended for the same person, contained sensitive information such as:
the individual’s medical history, details and findings of a physical examination that had been undertaken on them, a medical opinion on the findings and “microbiology results” relevant to the individual.
The ICO pointed out that the breach was a result of not interfacing correctly with national health records:
St George’s patient administration programme had “not been aligned” with the national care records service (SPINE). This meant staff had not been prompted to check that the individual’s address was correct. The SPINE records contained the up-to-date address and had done since 2006, it said.
Furthermore, staff failed to verbally confirm the address on record.
Is this a Fair Penalty?
On the surface, a fine for sending two letters to the “wrong” address because one’s database was out of date appears preposterous. On the other hand, the fix — asking each and every patient whether his or her address on file is the correct one — is so simple, and ought to be incorporated as part of a hospital’s workflow, that not penalizing them doesn’t make sense. Indeed, each time that I visit a medical establishment, I’m asked to fill in my address in a form, regardless of whether I’m in their system.