Three staff investigated into Princess of Wales data breach
March 21, 2024 |
The Times reports that investigation into a data breach, involving the Princess of Wales’ medical records at the London Clinic has zoned in on 3 staff. And the Information Commission has received a breach report and is investigating as well. The story has been picked up by the Australian with Three hospital staff ‘tried to access Princess of Wales’s records’. Initially one person was suspected of creating a data breach. That has expanded to three. That is not unusual. In cases where people seek out salacious information or photographs the desire to share seems to be difficult to resist. That occurred when photos of Dani Laidley were inapopriately taken in a police station and then sent to other police officers.
Data breaches involving snooping into medical records are a chronic problem in hospitals. But they can be minimised if there are proper systems in place. And top of the list is requiring anyone to access records to have authorisation and sign in before they can view records. That creates a trail and may allow the system to alert IT when someone without authorisation has accessed those records or is trying to. It is not foolproof as those determined can use other’s authorisation but even then there are ways of dealing with that. It is no less a problem in my experience in Australia than in the UK. Given the regulation is laxer here and enforcement timid the consequences for a breach here are less than in the UK.
The Times article on the subject provides:
Three members of staff at the private hospital that treated the Princess of Wales are understood to be the subject of an investigation into an alleged attempt to access her private medical records.
Workers could face disciplinary action over claims of a data breach at the London Clinic, which treated the princess and the King in January.
On Wednesday, when asked about the alleged data breach at the clinic, Rishi Sunak’s official spokesman said: “I think we all want to get behind the Princess of Wales, and indeed the Prince of Wales, and we obviously wish her the speediest of recoveries.”
The private hospital in Marylebone, London, where the princess was admitted on January 16 for planned abdominal surgery, is at the centre of claims that her privacy was breached when the members of staff were said to have attempted to obtain her medical notes.
A Kensington Palace spokesman said that it was “a matter for the London Clinic” and declined to elaborate further
The hospital, where the King was treated for an enlarged prostate also in January, gave assurances on Wednesday that “all appropriate investigatory, regulatory and disciplinary steps will be taken”.
Al Russell, the clinic’s chief executive, said: “Everyone at the London Clinic is acutely aware of our individual, professional, ethical and legal duties with regards to patient confidentiality.
“We take enormous pride in the outstanding care and discretion we aim to deliver for all our patients that put their trust in us every day.
“We have systems in place to monitor management of patient information and, in the case of any breach, all appropriate investigatory, regulatory and disciplinary steps will be taken.
“There is no place at our hospital for those who intentionally breach the trust of any of our patients or colleagues.”
The allegations came as the Prince of Wales, Colonel of the Welsh Guards, made a private visit to Combermere Barracks in Windsor. William, who became colonel of the regiment last year, went to see the facilities and plans for improvements at the barracks and “spend time connecting with soldiers, medics and physical training instructors”.
The UK’s privacy watchdog confirmed that it was looking into the alleged royal data breach.
Organisations must report misuse of personal data to the Information Commissioner’s Office within 72 hours of becoming aware of the breach. The maximum penalty for anyone found to access medical records without cause or consent is an unlimited fine. They do not face prison.
Tom Llewellyn, a partner in commercial litigation and data protection at Ashfords law firm, said the clinic’s act of notifying the ICO indicated that someone had breached the princess’s private data.
Llewellyn said: “You only have to take steps to notify the ICO if there has actually been a breach. The questions are then: who is responsible? What measures were in place to protect the data, and what are the implications?
“If this is somebody who shouldn’t be accessing the data of the Princess of Wales and did so of their own accord, the clinic isn’t directly liable. If there are lapses in best practice, however, the clinic could be fined hundreds of thousands.”
Sam Smith, of the health data privacy group MedConfidential, said: “The penalties are pathetic, but they’re also largely irrelevant. You could throw the person who leaked it in jail for life, and it has no effect on everyone now knowing information that they shouldn’t have known.”
Kate’s circumstances may be unique as a princess at the centre of a maelstrom of conspiracy theories. However, she is not the only patient whose medical records are at risk, Smith pointed out. Other people, whose privacy is not as closely guarded as that of the royal family, might never know who has been snooping around their private medical information.
Smith said: “The scale is widespread but unknown — we know creepy single doctors look up the records of women they go on dates with, to the extent that they tell the women they’ve done it because they expect there to be no consequences. And there aren’t.
“The safeguard in place is the ‘good chaps’ theory of data protection. It fails catastrophically and in secret.”
The London Clinic has been treating VIPs, from presidents, prime ministers and Hollywood stars, for almost a century. Anthony Eden, John F Kennedy and Elizabeth Taylor are among those who have relied upon the discretion of its staff.
Smith said that the reported breach was a reminder of wider data security concerns across the health service. “People aren’t worried about big computer systems because they don’t like better care; they’re worried because the safeguards are insufficient to stop creepy bastards being creepy bastards,” he added.
Last year, the ICO dealt with about 40,000 complaints about data protection, as well as taking more than 300,000 calls through its helpline.
In 2023, a medical secretary was found guilty and fined for illegally accessing the medical records of more than 150 people. Loretta Alborghetti, from Redditch, accessed the records of 156 people, including family members and neighbours, viewing them over 1,800 times, while she worked within the ophthalmology department at Worcestershire Acute Hospitals NHS Trust. She was fined £648.
In 2022, Christopher O’Brien, a former health adviser at the South Warwickshire NHS Foundation Trust, was found guilty of illegally accessing medical records of people he knew, without a valid legal reason. He was ordered to pay £250 compensation to 12 patients, totalling £3,000.
Ingrid Seward, editor-in-chief of Majesty magazine, said that the online rumours and frenzy around Kate were “spiralling out of control”.
“For me, it sort of has a very chilling feeling,” she told Times Radio. “It reminds me that just before the Princess of Wales was, the other, you know, Diana, Princess of Wales, was tragically killed in that car accident, it was spiralling out of control then.
“I remember every single day it was headline news — what she was doing on her holiday in France with Dodi Fayed. I just remember saying, ‘This is spiralling out of control.’ And I’ve got the same feeling now.”
Seward stressed that the royal family were entitled to privacy, adding: “They’ve got to have some privacy in order to survive, in order to exist and do what they do. They can’t have everything out there.”
However, Seward warned that the Windsors needed a new strategy and suggested that the late Queen’s advice to ignore rumours belonged to a different era.
“I think it is a world that’s gone. As much as it did use to work. ‘Never complain, never explain’ did work, but it doesn’t work now, not in the age of social media,” she said.
A spokesman for the General Medical Council, which regulates doctors, said: “We will take appropriate action where those concerns pose a risk to patients or public confidence in the profession.”
A spokesman for the Health and Care Professions Council, which regulates health workers from 15 different professions including radiographers, physiotherapists and paramedics, said: “We cannot confirm whether or not a registrant is being investigated or a complaint has been made.
“The HCPC has a duty of confidentiality to both complainants and our registrants.”
Lesley Maslen, executive director of professional regulation at the Nursing and Midwifery Council, said: “Our code is clear that all nurses, midwives and nursing associates must respect people’s right to privacy and confidentiality.”