An e-mail gaffe and a spelling mistake by a doctor led to a breach of the UK’s Data Protection Act last year, according to a press release by the Information Commissioner’s Office today.
The Aneurin Bevan Health Board (ABHB) in South Wales was fined £70,000 (about $114,000 USD) after it mistakenly sent sensitive information about one patient to another patient in March, 2011. The mistake came after a doctor at the board e-mailed a letter to a secretary for formatting, but failed to include enough information for the secretary to correctly identify the patient. The doctor also misspelled the patient’s name, causing the letter to get sent to another patient with a similar name.
While ABHB isn’t the first health board to draw the ire of the ICO, it is the first organization from the National Health Service to be fined by the office.
An investigation by the ICO found that neither of the employees that handled the information had received data protection training and that on the whole, the ABHB were using poor data management practices.
The ICO’s Head of Enforcement, Stephen Eckersley, called out the ABHB on Monday stressing that there needs to be better checks and balances across the health service industry.
“The health service holds some of the most sensitive information available. The damage and distress caused by the loss of a patient’s medical record is obvious, therefore it is vital that organizations across this sector make sure their data protection practices are adequate,” said Eckersley.
The Data Protection Act, passed in 1998 by Parliament, mandates that when personal information is processed it must follow a strict guideline. There are eight principles in total; information must be processed securely, accurately and adequately, among others.