£200,000 fine for patient data breach

data security
“The reputation of the medical profession is built on trust. HCA International has not only broken the law, it has betrayed the trust of its patients,” said Steve Eckersley, Head of ICO Enforcement

Failure to comply with the Data Protection Act 1998 has led to a £200,000 fine for a private company

[London, UK] The Information Commissioner’s Office (ICO) has issued a £200,000 fine after it discovered a private health company breached data protection rights.

Launching an investigation after a patient came across transcripts of doctor outpatient letters in April 2015, the ICO found that Lister Hospital had been sending audio records to a company located in India since 2009 to transcribe the information and send it back to the UK, using an unsecure server for storage.

HCA International Ltd has therefore now been fined £200,000 because of failure to comply with the Data Protection Act 1998.

“The reputation of the medical profession is built on trust. HCA International has not only broken the law, it has betrayed the trust of its patients.

“These people were discussing intimate details about fertility and treatment options and certainly didn’t expect this information to be placed online. The hospital had a duty to keep the information secure. Once information is online it can be accessed by anyone and could have caused even more distress to people who were already going through a difficult time,” said Steve Eckersley, Head of ICO Enforcement.

New data protection law

The new General Data Protection Regulation (GDPR) is expected to come into effect in May next year, as the ICO reveals the government has confirmed Brexit will not affect it. The law will give the ICO the power to issue fines ‘up to four per cent’ of a company’s overall turnover in case of ‘serious’ breaches.

“What makes this case even worse is that we know the company is aware of its data protection obligations and already has appropriate safeguards in place in other areas of its business.

“The situation could have been avoided entirely if HCA International had taken the time to check up on the methods used by the contract company,” Eckersley added.

Yesterday, a Guardian investigation revealed NHS Shared Business Services (SBS) had misplaced more than half a million documents from 2011 until 2016, prompting NHS England to launch an investigation as nearly 2,500 were found to present risk to patient care.

A Lister Fertility Clinic spokesperson said: “We take the protection of our patients’ confidential and sensitive information extremely seriously, however on this occasion we fell short of both the standards of the ICO and the high standards we set for ourselves.

“We have apologised to the seven patients affected for the distress this may have caused and we no longer work with the company involved. 

“The Lister Fertility Clinic has put in place more rigorous checks and measures to ensure the safety of our patients’ information.”

HCA International Ltd did not respond to our request for comment in time for publication.