UK Information Commissioner fines General Practitioner 35,000 pounds for failing to secure medical records
June 6, 2018 |
The UK Information Commissioner’s Office has once again shown how it should be done. The Bayswater Medical Centre left highly sensitive medical information unsecured in an empty building for more than 18 months.
The Centre vacated a building which it leased in July 2015 after moving to new premises, but continued to use it as a storage facility. Another local GP surgery, NHS West London CCG, was interested in taking over the lease of the empty building. It had access from June 2016. Employees of NHS West London CCG informed the Centre that there were unsecured ‘Lloyd George Records’ on the site. The Centre acknowledged that was the case. Foolishly the Centre did nothing about the records even when it was contacted again in January and February 2017 about whether the medical information had been secured, as NHS West London CCG didn’t want to let contractors access the site otherwise. The security concerns were referred to NHS England.
NHS England launched an investigation and it came to the attention of the Information Commissioner’s Office.
It is not surprising that the ICO fined the Centre given the abysmal way it protected medical records. The Centre had ample time to secure medical records. It didn’t do anything about it. Little wonder it received a fine.
As is commonly the way the media coverage added reputational insult to financial injury with wiredgov reporting in Medical centre fined for abandoning sensitive information in empty building and the register with Brit doctors surgery fined £35k over medical data fumble which provides:
Bayswater Medical Centre (BMC) in London is licking its wounds after taking a not insignificant punch to the wallet for discarding highly sensitive medical information in an empty building for a year and a half.
The Information Commissioner’s Office (ICO) said today the data included medical records, prescriptions and patient identifiable medicine. It was left unsecured when BMC vacated its surgery but used the premises as a storage dump from July 2015.
The following year, reps from another GP practice took over the lease, discovered the unsecured medical records and told the BMC, but the BMC made no effort to scoop up that information, despite repeated warnings from the other surgery and a local Clinical Commissioning Group.
Officers from NHS England paid a visit to the site in February 2017 and found a “large quantity” of the data left on decks, in unlocked cabinets and in bins. The BMC was ordered to send in the cleaners, so to speak.
The severity of this breach “merited” a fine of £80,000, said the ICO, but this was cut to £35,000 after the BMC’s ability to cough payment was considered.
“It is our duty to stand up for people’s data right[s] and to ensure that their sensitive personal information is protected,” said ICO head of enforcement Steve Eckersley.
“Out of sight is definitely not out of mind. We don’t want anyone to think that they can avoid the law or their duties by abandoning personal data in empty buildings,” he added. ®
.