Home » Topics » Cybersecurity » ICO issues its first fine for NHS

ICO issues its first fine for NHS

Avatar photoby Ben Rossi

The Information Commissioner’s Office has issued its first ever fine to an NHS body.

The Aneurin Bevan Health Board (ABHB), which provides health services in South Wales, was issued with a £70,000 fine after sensitive patient records were sent to the wrong recipient.

"The error occurred when a consultant emailed a letter to a secretary for formatting, but did not include enough information for the secretary to identify the correct patient," a statement from the ICO reveals. "The doctor also misspelt the name of the patient at one point, which led to the report being sent to a former patient with a very similar name in March last year."

Neither party had been given data protection training, the ICO found, and the organisation did not have sufficient measures in place to ensure sensitive data was kept safe.

Besides the fine, the board also agreed to introduce data protection training, and new precautions are introduced.
“The health service holds some of the most sensitive information available," said Stephen Eckersley, the ICO’s head of enforcement. "The damage and distress caused by the loss of a patient’s medical record is obvious, therefore it is vital that organisations across this sector make sure their data protection practices are adequate."

This is the first ever fine for an NHS body, despite the fact that the health service is responsible for a large proportion of data breaches. In the six months between April and October last year, 40% of all data breaches reported to the ICO came from the NHS.

Earlier this year, it was reported that an NHS Trust in Brighton could be facing the largest fine ever served by the ICO, after hard drives containing patient data were sold online. The Argus newspaper reported that Brighton and Sussex University Hospitals NHS Trust faced a fine of £350,000 – three times the previous record fine.

At the time, data protection practitioner and blogger Jon Baines argued that the ICO may be reluctant to fine NHS bodies, as it could be perceived as limiting their ability to provide healthcare.

The ICO said today that its final ruling on that case is due in the month or so.

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

Related Stories

Cybersecurity

How AI will shift the security landscape in 2024

The impact of AI within cybersecurity is expected to grow significantly this year, says Alex Holland, senior malware analyst at HP

AI & Machine Learning

NCSC releases guidelines for secure AI development

New guidance from the National Cyber Security Centre (NCSC) aims to help businesses securely innovate with AI and minimise risks

Cybersecurity

3 cybersecurity compliance challenges and how to address them

Earning those trust seals can strengthen relationships with board members and prospective customers, but it sure isn’t easy.

Cybersecurity

70% of UK firms reported cyber insurance changes in past year

According to research from Databarracks, seven in 10 UK businesses have seen changes to their cyber insurance in the past 12 months, as requirements rise