UK Health Board Fined Over BreachFirst NHS Organization Penalized Under Data Protection Act
The UK has announced the first fine against a National Health Service unit for a breach in violation of the Data Protection Act. The Aneurin Bevan Health Board in Wales was fined Â£70,000 by the Information Commissioner's Office for sending sensitive patient information to the wrong person.
See Also: The Global State of Online Digital Trust
"The error occurred when a consultant e-mailed a letter to a secretary for formatting, but did not include enough information for the secretary to identify the correct patient," according to a government press release. The doctor also misspelled the name of the patient, which resulted in the report being sent to a former patient with a similar name, the ICO explained.
An ICO investigation determined that the staff members had not received data protection training and that the organization lacked "adequate checks" to ensure personal information was sent to the correct person.
"The damage and distress caused by the loss of a patient's medical record is obvious, therefore it is vital that organisations across this sector make sure their data protection practices are adequate," says Stephen Eckersley, the ICO's head of enforcement.
"We are pleased that the Health Board has now committed to taking action to address the problems highlighted by our investigation; however organisations across the health service must stand up and take notice of this decision if they want to avoid future enforcement action from the ICO," Eckersley stressed.
A copy of the monetary penalty notice can be viewed here.