Hospital data breach results in ‘no further action’

A DATA breach which saw personal details of women who had suffered stillbirths published online has resulted in no further action being taken.

Hampshire Hospitals NHS Foundation Trust (HHFT), which runs Basingstoke hospital, reported the data breach to the Information Commissioners Office (ICO) after it was uncovered last month by the Gazette.

The information about the three women included details of their previous miscarriages and pregnancy terminations and was listed as ‘restricted’ in the documents published online, which were freely available for anyone to access.

The matter was reported by the trust after the Gazette raised concerns that the published information could lead to the women being identified.

The ICO has now concluded its investigation into the incident, and decided not to take any further action, but to instead offer advice to the trust.

Julie Dawes, deputy chief executive and chief nurse at HHFT, said: “Last month as a precaution we referred a potential breach in our recent board papers to the Information Commissioner’s Office (ICO).

“We have received the decision that “no further action by the ICO is necessary on this occasion” and we are constantly reviewing our practice to ensure we meet the highest possible standards.

“Following an internal review, we have already taken steps to ensure the learning from this matter is fully taken into account.”

A spokesperson for the ICO said: “We looked into the details of this incident and decided not to take formal enforcement action on this occasion.

“The women affected were not named, we didn’t consider them to be easily identifiable and the trust had reviewed the papers prior to publication.

“We provided advise about data protection to the trust to consider additional measures to render identification less likely in future instances.”

The trust previously apologised to the women affected, and said it was offering them support.

The news comes as the Gazette can reveal that HHFT has reported eight other data breaches to the ICO in the last five years, with just one resulting in further action.

The breaches include data emailed to the incorrect recipient in July this year; information posted or faxed to the wrong person in August last year; and a disclosure of data in July 2017.

Only one – a disclosure of data in October 2018 – resulted in any action being taken, with the matter referred to a data controller to take action to tackle a shortfall in information rights practice.

However, when the Gazette asked HHFT how many breaches were reported to the ICO over the last five years, and what the outcomes were, it said that none had resulted in any further action.

 

Source link

Leave a comment