UK: London NHS Trust fined £90,000 for serious data breach (updated)
Central London Community Healthcare (CLCH) NHS Trust has been fined £90,000 following a serious breach of the Data Protection Act (DPA), the Information Commissioner’s Office (ICO) announced today.
The breach first occurred in March last year, after patient lists from the Pembridge Palliative Care Unit, intended for St John’s Hospice, were faxed to the wrong recipient. The individual informed the Trust in June that they had been receiving the patient lists – around 45 faxes over a three month period – but had shredded them.
The patient lists contained sensitive personal data relating to 59 individuals, including medical diagnoses and information relating to their domestic situations and resuscitation instructions.
The ICO’s investigation found that the Trust failed to have sufficient checks in place to ensure that sensitive information sent by fax was delivered to the correct recipient. The trust also failed to provide sufficient data protection guidance and training to the member of staff concerned.
Stephen Eckersley, the ICO’s Head of Enforcement said:
“Patients rely on the NHS to keep their details safe. In this case Central London Community Healthcare NHS Trust failed to keep their patients sensitive information secure. The fact that this information was sent to the wrong recipient for three months without anyone noticing, makes this case all the more worrying.”
Update: According to Public Service, the trust plans to appeal the fine:
… despite accepting that the breach was “hugely regrettable”, the trust is making a legal challenge against the ICO’s penalty.
“We deeply regret that the Information Commissioner has decided to impose a fine and so we have instructed our lawyers to commence an appeal against this,” a spokesman for the trust said.
“We consider that the commissioner has acted incorrectly as a matter of law and so we have no alternative but to bring an appeal.”