Yet another NHS worker fined for accessing sensitive medical records without authorisation

It seems the NHS can’t keep its staff under control as yet another worker has been found guilty of accessing sensitive medical records without authorisation.

Linda Reeves reportedly abused her position as a former data coordinator with access to the Trust’s patient database by rifling through medical records belonging to colleagues, friends and neighbours. She did not have any consent or authorisation from patients or her employer as the data controller.

Reeves has since resigned from her job at The University Hospitals of North Midlands NHS Trust.

What happened?

The North Staffordshire Justice Centre was told that from October 2014 to April 2016, Reeves had accessed 398 patient records without permission. Reeves’ lawyer, Tony Cooke, defended her actions as being without malicious intent, noting her personality as “just plain nosy and looked at things that caught her imagination and interest.”

Further comment read:

“She tells me she has been stupid. She did it out of ignorance, not knowing that she was getting herself into. She knows she’s been reckless but I don’t think anyone can say she acted with malice. She felt she had to leave the NHS after these allegations.”

Sadly for Reeves, ignorance of the law is not a defence, and will not alleviate any potential damage caused.

NHS look to repair trust

Medical director at the NHS hospital, John Oxtoby, spoke about the incident in hopes of repairing trust in the NHS, noting that staff are “aware that confidentiality is of the utmost importance and that unauthorised access to patient records is not acceptable and will lead to disciplinary action. There are strict protocols that they must follow and I am confident that almost without exception our staff can be fully trusted to respect the privacy of our patients.”

Unfortunately, it appears that the NHS have a while to go yet before they can ensure their data security protocols are airtight.

Regulators’ involvement

The Information Commissioner’s office was notified of Reeves’ data breach and issued a fine of £700.00 after she pleaded guilty to charges. Reeves will also need to pay an additional £364.08 in costs and a victim surcharge of £70.00 as well. In this case, curiosity has come at the cost of over £1,000.00 and the loss of a career.

A worryingly common occurrence…

The fine comes just weeks after the ICO published a warning to curious employees over the consequences of snooping on personal data without authorisation. Cooke’s words illustrate how easy it is to give in to temptations of having a peek here and there to satisfy your curiosity. Employees may think there is nothing wrong with having a little look, but for the data subject, it’s not nice.

In response to the conviction an ICO spokesperson stated:

“People need to stop and think about the consequences before accessing personal information out of curiosity… It is against the law to access medical records containing personal data without a business purpose to do so. The law is clear and the consequences of breaking it can be severe.”

Eight fines in the past year alone…

The ICO has fined eight healthcare workers in the past year alone for snooping on medical records belonging to friends, family, colleagues and neighbours. The ICO continue to emphasise the importance of respecting someone’s right to privacy:

“Patients are entitled to have their privacy protected and those who work with sensitive personal data need to know that they can’t just access it or share it with others when they feel like it.”

66% of small-to-medium businesses could “shut down” in the event of a data breach

Nottinghamshire County Council fined £70,000 for leaving data belonging to vulnerable people exposed for 5 years