ICO cautions NHS staff against illegally accessing patient medical records

The Information Commissioners Office (ICO) has specifically reminded NHS staff not to access patient medical records without proper reason and / or proper authority. Illegally accessing, obtaining and/or disclosing patient medical records without permission is not only a violation of patient data protection rights, but also exposes the wrongdoer and the NHS to legal action and costly fines.

This latest ICO warning was prompted by a recent case where a former health care assistant accessed medical records belonging to several patients without a valid reason. Over a period of a year and a half, Brioney Woolfe reportedly accessed patient files belonging to 29 individuals, including her family members, colleagues and other patients.

Information also disclosed

Her wrongdoing was further exacerbated by the fact she reportedly disclosed some of the sensitive information. Woolfe’s illegal behaviour was discovered when a patient filed a complaint against her.

Colchester Magistrates’ Court found Woolfe liable for breaching Data Protection laws during her employment at Colchester Hospital University NHS Foundation Trust. She was fined £400 for illegally obtaining personal information as well as £650 for disclosing some of that sensitive information as well. On top of the £1,050 fine, Woolfe was also ordered to pay costs of £665.

Warnings and reminders…

The ICO’s warning serves as an important reminder to NHS staff of the seriousness of breaching data protection rules. Woolfe probably thought nothing of ‘having a look‘ at some patient records, but it ended up costing her £1,715, and her job. Prospective employers will likely be put off by her actions, perhaps deeming her as someone that can’t be trusted.

The NHS data breach trends

This scenario is one of many that have occurred over the last few years…

The NHS are constantly making headlines for all sorts of data breaches, with most of them being administrative errors or employees who failed to take data protection seriously. Steve Eckersley, Head of Enforcement at the ICO, is understandably frustrated by repetitive breaches:

“Once again we see an NHS employee getting themselves in serious trouble by letting their personal curiosity get the better of them… Patients are entitled to have their privacy protected and those who work with sensitive personal data need to know they can’t just access it or share it with others when they feel like it. The law is clear and the consequences of breaking it can be severe.”

People who have or can access medical records need to recognise the sensitive nature of the information and respect a patient’s right to privacy. Whilst it may apparently be interesting, for some, to see who has what ailments, this information is privileged.

For the victims, knowing someone has accessed your sensitive information can be deeply distressing. Victims often feel anxious and distressed, fearing that someone out there knows something private about them and can share it to the world whenever they please. Their mistrust to others can have great impact on their lives; never knowing who they can trust, and constantly worrying if it might happen again.

Since October 2016, the ICO has seen eight individuals prosecuted and sanctioned for illegally accessing medical records. Seven were employed by the NHS at the time of the breach, all of whom are no longer employed at the hospital/ healthcare centre they committed the breach at.

TalkTalk fined £100,000 for putting 21,000 customers at risk of scams and fraud

Data breaches in the U.K. retail sector doubled in one year