UK: South West Yorkshire Partnership NHS Foundation Trust
From the ICO:
An undertaking to comply with the seventh data protection principle has been signed by South West Yorkshire Partnership NHS Foundation Trust.
This follows a series of incidents where patient data was sent to incorrect addresses. On investigation it was disovered that although the Trust had issued ad hoc guidance to staff following each breach, this had not been formalised in any policy or procedure.
The incidents were summarized as follows:
The Information Commissioner (the ‘Commissioner’) was informed on 19 July 2013 that the Trust had disclosed a discharge letter relating to one patient to an unrelated third party. On further investigation it was discovered that the two discharge letters both ended up in the same envelope, which was not checked before it was sent. The Trust had in place a Safe Haven Policy which included a section on posting information, but did not cover the need to check documentation containing personal data before it is sent (for any format).
The Commissioner was later informed of four further similar incidents that occurred after this incident. One incident involved a letter being sent to the wrong address following an address not being updated, two involved letters being sent to an address that had been incorrectly written or recorded, and one further case was almost identical to the first reported breach, in that a community treatment order for one individual was placed with a letter intended for another individual.