The Information Commissioner's Office (ICO) said Aneurin Bevan Health Board (ABHB) is the first NHS organisation it has issued a civil monetary penalty notice (11-page / 1.39MB PDF) to. The watchdog said ABHB had been guilty of a serious breach of the Data Protection Act (DPA).
The breach occurred in March last year after a secretary working for the ABHB sent a letter drafted by a consultant to the wrong address. The consultant had spelled the name of the intended recipient two different ways in the letter and had not included details of the patient's address or any other "unique identifier", such as their hospital or NHS number, in the draft. The secretary used an electronic database to try and identify the patient but mistakenly sent the letter out to a former patient with a near-identical surname to the intended recipient.
The ICO said its investigation "revealed an absence of robust systems" at ABHB to ensure patients are correctly identified before correspondence is sent out.
“The health service holds some of the most sensitive information available," Stephen Eckersley, the ICO’s head of enforcement said in a statement. "The damage and distress caused by the loss of a patient’s medical record is obvious, therefore it is vital that organisations across this sector make sure their data protection practices are adequate."
“Aneurin Bevan Health Board failed to have suitable checks in place to keep the sensitive information they handled secure. This case could have been extremely distressing to the individual and their family and may have been prevented if the information had been checked prior to it being sent."
ABHB has signed an undertaking to improve its data protection policies and practices. Staff are to be made aware of and trained on the proper storage and use of personal data, whilst ABHB has also agreed to ensure that compliance with data protection and IT security policies is regularly monitored.
The health board has also undertaken to ensure that any patient correspondence is not sent out unless "at least one unique identifier" has been used to corroborate patients' names.
"We are pleased that the Health Board has now committed to taking action to address the problems highlighted by our investigation; however organisations across the health service must stand up and take notice of this decision if they want to avoid future enforcement action from the ICO," Eckersley said.
The DPA requires that “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data" by organisations in control of personal data. The Act requires extra care around the handling of sensitive personal data, such as information relating to individuals' "physical or mental health or condition".
The ICO can issue fines of up to £500,000 for serious personal data breaches. In January the watchdog said it would give "particular regulatory attention" to health organisations as part of its enforcement strategy.