Out-Law News 2 min. read
02 Mar 2017, 2:37 pm
The Information Commissioner's Office (ICO) said HCA International was responsible for a serious breach of the Data Protection Act.
The ICO said (17-page / 2.96MB PDF) that Lister hospital in London, owned by HCA, had, since 2009, "routinely sent unencrypted audio recordings" of conversations between doctors and people exploring fertility treatments at the hospital via email to a data processor in India where those conversations were transcribed.
A patient notified Lister hospital in April 2015 that some transcripts could be found online through an internet search engine, the ICO said. The watchdog said that HCA was unaware that the Indian business "used an unsecured FTP server to store the recordings and then send completed transcripts to the hospital". The server lacked authentication protocols governing access to the transcripts, it said.
The ICO said HCA "ought reasonably to have known that the recordings containing transcripts would be vulnerable to a security breach" and warned of the likely distress to patients who had been to the hospital.
HCA voluntarily reported the data breach to it and was both "fully co-operative" with the ICO and took "substantial remedial action", the watchdog said.
Steve Eckersley, head of ICO enforcement, said: "The reputation of the medical profession is built on trust. HCA International has not only broken the law, it has betrayed the trust of its patients. These people were discussing intimate details about fertility and treatment options and certainly didn't expect this information to be placed online. The hospital had a duty to keep the information secure. Once information is online it can be accessed by anyone and could have caused even more distress to people who were already going through a difficult time."
"What makes this case even worse is that we know the company is aware of its data protection obligations and already has appropriate safeguards in place in other areas of its business. The situation could have been avoided entirely if HCA International had taken the time to check up on the methods used by the contract company," he said.
Under the Data Protection Act, data controllers are required to take "appropriate technical and organisational measures" to ensure against the "unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data".
In addition, when outsourcing data processing to other businesses, data controllers remain responsible for compliance. They are obliged to ensure data processing arrangements are set out in contract. Data controllers can be liable for a fine of up to £500,000 if data processors fail to follow their contractual obligations and handle personal data in a way that breaches the Act.
Data protection law expert Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said: "It appears a few simple self-assessment measures would have been sufficient to prevent this breach. These types of self-assessment will become worth their weight in gold once the General Data Protection Regulation (GDPR) comes into effect and reporting to the ICO, and potentially affected individuals, is no longer an optional matter but a mandatory requirement."