ICO hits NHS Trust with £90k fine for sending faxes outlining patient palliative care details to member of the public

The Information Commissioner's Office (ICO) levied the fine after Central London Community Healthcare NHS Trust reported that approximately 45 separate fax messages containing the lists of inpatients had been sent to the wrong recipient during a period spanning more than two months.

The lists, sent from Pembridge Palliative Care Unit, contained "confidential and sensitive personal data" that set out medical diagnoses, information about patients' domestic situation and resuscitation instructions for "many" of those individuals listed who "were receiving palliative care," the ICO said.

The lists were sent by an administrator at the Pembridge Unit who had arranged to send the documents to two fax numbers following a request by St John's Hospice. However, the individual had not received "sufficient" data protection training or guidance that would have told them to obtain approval from management for doing so and to check that faxes had been received from both numbers. As a result the lists were wrongly sent to a member of the public who informed the Trust of the error in June last year. The member of public claimed he had "shredded" the faxes he had wrongly received.

The ICO said that the Trust has updated its practices as a result of the data breaches.

"[The Trust] has now taken substantial remedial action which includes not sending inpatient lists by fax to the Hospice, carrying out a detailed internal investigation into the security breach and considering the use of more secure means available for sending confidential and sensitive personal data such as email," the watchdog said in its monetary penalty notice (11-page / 131KB PDF).

Stephen Eckersley, the ICO’s head of enforcement said: “Patients rely on the NHS to keep their details safe. In this case Central London Community Healthcare NHS Trust failed to keep their patients sensitive information secure. The fact that this information was sent to the wrong recipient for three months without anyone noticing, makes this case all the more worrying."

Under the Data Protection Act the ICO has the power to issue fines of up to £500,000 for serious breaches of personal data.

The Act requires organisations in control of personal data to take "appropriate technical and organisational measures" to prevent "unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data". Organisations must take extra care around the handling of sensitive personal data, which includes information relating to individuals' "physical or mental health or condition".