The Information Commissioner’s Office has issued its first ever fine to an NHS body.
The Aneurin Bevan Health Board (ABHB), which provides health services in South Wales, was issued with a £70,000 fine after sensitive patient records were sent to the wrong recipient.
"The error occurred when a consultant emailed a letter to a secretary for formatting, but did not include enough information for the secretary to identify the correct patient," a statement from the ICO reveals. "The doctor also misspelt the name of the patient at one point, which led to the report being sent to a former patient with a very similar name in March last year."
Neither party had been given data protection training, the ICO found, and the organisation did not have sufficient measures in place to ensure sensitive data was kept safe.
Besides the fine, the board also agreed to introduce data protection training, and new precautions are introduced.
“The health service holds some of the most sensitive information available," said Stephen Eckersley, the ICO’s head of enforcement. "The damage and distress caused by the loss of a patient’s medical record is obvious, therefore it is vital that organisations across this sector make sure their data protection practices are adequate."
This is the first ever fine for an NHS body, despite the fact that the health service is responsible for a large proportion of data breaches. In the six months between April and October last year, 40% of all data breaches reported to the ICO came from the NHS.
Earlier this year, it was reported that an NHS Trust in Brighton could be facing the largest fine ever served by the ICO, after hard drives containing patient data were sold online. The Argus newspaper reported that Brighton and Sussex University Hospitals NHS Trust faced a fine of £350,000 – three times the previous record fine.
At the time, data protection practitioner and blogger Jon Baines argued that the ICO may be reluctant to fine NHS bodies, as it could be perceived as limiting their ability to provide healthcare.
The ICO said today that its final ruling on that case is due in the month or so.