London NHS Trust fined £90,000 for faxing patient records to the wrong number

The Information Commissioner’s Office (ICO) has announced today that the Central London Community Healthcare (CLCH) NHS Trust has been fined £90,000 ($142k) following a serious breach of the Data Protection Act (DPA).

The breach first happened in March last year. Patient lists from the Pembridge Palliative Care Unit, intended for St John’s Hospice, were faxed to the wrong recipient. The individual informed the Trust in June that they had been receiving the patient lists; around 45 faxes over a three month period, but had shredded them.

The patient lists contained sensitive personal data relating to 59 individuals, including medical diagnoses and information relating to their domestic situations and resuscitation instructions.

Why the problem was not flagged up by the intended recipient is not known and it points to a problem with using a fax machine correctly to ensure that information ends up in the right place. At the very least, a follow up call to confirm receipt of sensitive information might have been a better idea if using a fax machine was not the right way to confirm that these messages were going to the right place.

The ICO’s investigation found that the Trust failed to have sufficient checks in place to ensure that sensitive information sent by fax was delivered to the correct recipient. The trust also failed to provide sufficient data protection guidance and training to the member of staff concerned.

Stephen Eckersley, the ICO’s Head of Enforcement said:

“Patients rely on the NHS to keep their details safe. In this case Central London Community Healthcare NHS Trust failed to keep their patients sensitive information secure. The fact that this information was sent to the wrong recipient for three months without anyone noticing, makes this case all the more worrying.”

The NHS does not appear to be doing well when it comes to keeping data safe. In a large organisation it may be said that it is difficult to handle large amounts of both analogue and digital information, but given the sensitive and private nature of this material, it’s not surprising that patients are distressed by these blunders.

Earlier this year the NHS Trust saw its first fine of £70,000 after a sensitive report about a patient was sent to the wrong person.

All NHS Trusts are required to provide information about serious data breaches. According to research by Guardian Healthcare last year,   here were 899 data breaches of personal information by the 30 trusts in the London from 2008 to early 2011. The Guardian’s report on the matter pointed to a lack of staff training and support for data protection.