The UK Information Commissioner's Office (ICO) recently announced that the North Staffordshire Combined Healthcare NHS Trust was fined £55,000 following a breach of the Data Protection Act that resulted in the exposure of three patients' medical information.
Between August and September 2011, three separate faxes were sent by mistake to a member of the public instead of the trust's Wellbeing Center.
The trust only discovered the error when the recipient sent them a letter.
The information exposed included the patients' names, addresses, medical histories, and details of their physical and mental health.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
While the trust had guidance in place requiring staff to call ahead and make sure that faxes were sent to the right addresses and were successfully received, that guidance had not been communicated to the staff involved in the incident.
"Let's make no mistake, this breach was entirely avoidable," ICO Enforcement Group Manager Sally Anne Poole said in a statement. "One phone call ahead to the trust's Wellbeing Centre would have alerted its staff to the fact that the number they were entering was incorrect. This would have stopped highly sensitive information about the care of vulnerable people being sent to a member of the public on three separate occasions."
"This case should act as a warning to all organizations that routinely send out sensitive personal information by fax," Poole said. "Make sure you have appropriate procedures and controls in place, so that errors can be spotted before it is too late."