Recent medical data breaches

August 24, 2014 |

Medical records containing personal information are, by definition, sensitive information under the Privacy Act 1988.  Similar protections apply in the UK under statute.  And yet medical data breaches in the health industry remain depressingly regular.

A few recent examples from the UK.

The Nottingham Post reports in Nottinghamshire ambulance service loses more than 40,000 medical records  about significant loss of personal information by the Notthinghamshire Ambulance Service.

It provides:

THE private medical records of more than 40,000 patients have been lost by the ambulance service for Nottinghamshire.

The documents, including names, addresses, contact numbers and details of medical conditions, cover patients attended to by paramedics from September to November 2012.

East Midlands Ambulance Service (EMAS) says the floppy disk containing the information – lost from Beechdale ambulance station – can only be accessed by specific, now-obsolete hardware and the loss has been reported to the Information Commissioner.

The disc contains scanned copies of notes taken by paramedics when they attended 999 calls, as well as doctors’ details and information about blood pressure, heart rate and other conditions.

EMAS chief executive Sue Noyes said: “A data cartridge containing just under 42,000 electronic copies of scanned handwritten Patient Report Forms, which we believe are from September 2012 to November 2012, has gone missing from our Beechdale divisional headquarters in Nottingham.

“The cartridge is small and there is a possibility that it is still on our premises.

“We are conducting a thorough search of the building.”

Ms Noyes said that the service took its responsibility for the security and confidentiality of patient records very seriously and added: “It is extremely unfortunate that this incident has occurred, particularly as, during this financial year, we are replacing the current computerised storage system to strengthen security arrangements.

“We have taken a proactive approach to report this because we are an open and transparent service and we know it is our duty to inform people when such an incident occurs.”

A former member of EMAS staff, who worked as both a paramedic and a manager, said: “It is ridiculous. When I was there, security was a bit hit-and-miss. This is just one in a series of problems; EMAS staggers from one crisis to the next.

“Patient security is paramount – it has to be.”

A joint statement from Martin Gawith, chairman of Healthwatch Nottingham, and Joe Pidgeon, chairman of Healthwatch Nottinghamshire, which represent patients in the area, said: “This is not what we would expect from a well-run public service.”

Meanwhile down the road in Surrey a van containing pathology samples with personally identifiable information of hundreds of information was stolen.  Not exactly the work of master criminals given the van was unlocked and, helpfully, the keys were inside.  It is reported at GP anger at ‘outrageous’ loss of patient blood samples and data.  It is also reported here.

It provides:

GPs have reacted with outrage after police confirmed a van stolen with hundreds of pathology test samples was left unlocked, with its keys inside

Merton Police have called off the search for the van, stolen with up to 300 vials of blood, smears, other samples and patient-identifiable data, because of a lack of evidence.

The vehicle was stolen from outside a GP practice in Surrey after collecting test samples from 10 practices across the area to take to the Epsom and St Helier pathology service.

Wimbledon GP and GPC member Dr Paul Cundy, whose practice uses the pathology service, said: ‘It’s outrageous. It is not acceptable for vans with clinical material in them to be left unattended with the keys in them. There’s no excuse for that.’

Review safety protocols

Epsom and St Helier Hospitals NHS Trust should review whether it had the right protocols in place to ensure safety of test samples, he said.

A spokeswoman for Merton police told GP: ‘Merton police have investigated the circumstances surrounding the theft of a motor vehicle, which occurred on Wednesday 30 July, outside a medical practice on Middleton Road in Morden.

‘The matter was fully investigated, however, there was no CCTV, no forensic opportunities and no known suspects. Due to these factors, the investigation has been closed. Any new or further evidence which comes to light will be re-examined and investigated fully.’

A spokeswoman for Epsom and St Helier Hospitals said it could not comment on the circumstances of the theft.

Lest the locals think the problem only happens north of the equator the Privacy Commissioner recently considered a serious privacy breach at Pound Road in an own motion investigation.  I posted on it here. Allowance must be made for the investigation being undertaken under the pre amendment provisions so the limited response is, perhaps, understandable.  Sort of.  One can only hope that with his newly acquired powers the Privacy Commissioner will be able to take the appropriate enforcement actions for data breaches in the health industry.

One Response to “Recent medical data breaches”

  1. Recent medical data breaches | Australian Law Blogs

    […] Recent medical data breaches […]

Leave a Reply