The Information Commissioner’s Office has fined the Central London Community Healthcare (CLCH) NHS Trust £90,000 for what it called a "serious breach of the Data Protection Act".
However, the trust plans to appeal the fine on the grounds that it admitted to the breach itself and has taken measures to prevent it from occurding again.
Last year, information relating to 59 patients including "medical diagnoses, information about the patient’s domestic situation and resuscitation instruction" was accidentally faxed by the Pembridge Palliative Care Unit to the nearby St John’s Hospice.
The breach occured because an admin worker set up a fax template for a secondary line at the Hospice, seemingly with the wrong number, but failed to check whether faxes had been received, as they are obliged to do by the Trust’s fax protocol. Faxes were sent 45 times in three months.
The member of the public who received the faxes contacted Pembridge on June 6th, and said they had been shredding the faxes as they came through.
The ICO found that administrative staff had not been trained to obtain management approval before updating the fax protocol, and that the hospital’s data controller had not considered using more secure channels for the transmission of patient information.
"In this case Central London Community Healthcare NHS Trust failed to keep their patients sensitive information secure," the ICO’s head of enforcement Stephen Eckersley said: "The fact that this information was sent to the wrong recipient for three months without anyone noticing, makes this case all the more worrying."
CLCH has instructed its lawyers to commence an appeal against the fine.
It called the breach "hugely regretable", and said it had apologised to all families and individuals involved, but it added that it had reported the data breach to the ICO itself, fully cooperated with the ICO’s subsequent investigation, and has taken action to redice the risk of a similar incident.
"We consider that the Commissioner has acted incorrectly as a matter of law and so we have no alternative but to bring an appeal," it daid.
The fine comes just weeks after the ICO issued its first ever financial penalty to an NHS organisation. The ICO fined that Aneurin Bevan Health Board £70,000 at the end of April, after it sent a sensitive report – containing explicit details relating to a patient’s health – to the wrong person.