ICO issues £70,000 fine to Aneurin Bevan Health Board

The Aneurin Bevan Health Board (ABHB) have been served a monetary penalty by the data Commissioner's Office (ICO).

The Welsh health board was issued with a penalty of £70,000 after a sensitive report was sent to the incorrect person. Based on the ICO's undertaking, the mistake occurred when a letter containing a close psychological report of a mental-health patient have been sent to a different former patient with the same name.

A consultant emailed his letter to a secretary for formatting, but didn't include sufficiently clear identifiers for the secretary to choose the best patient. The doctor had extensively utilized the spellings of both patients' names in his email.

Further investigations revealed that neither the consultant nor the secretary had received any data protection training from the knowledge controller, and that practices comparable to people that brought about this incident were widely followed by clinical and secretarial staff throughout the organisation.

ABHB has signed an undertaking to handle the troubles expressed by the ICO during its investigation. This includes ensuring all staff are made responsive to, and trained on, the organisation's policies on storage and use of personal data, that there is appropriate and regular monitoring of compliance with policies on data protection and IT security, and that new checking processes are introduced across all sites to confirm a patient's identity before personal information is sent out.

Stephen Eckersley, the ICO's head of enforcement, said: “The health service holds some of the most sensitive information available. The damage and distress caused by the loss of a patient's medical record is obvious, therefore it is vital that organisations across this sector make sure their data protection practices are adequate.

“Aneurin Bevan Health Board failed to have suitable checks in place to keep the sensitive informatiat they handled secure. This situation might have been extremely distressing to the person and their family and should were prevented if the ideas were checked previous to it being sent.

“We are pleased that the board has now committed to taking action to handle the issues highlighted by our investigation; however, organisations around the health service must rise up and take notice of this decision in the event that they desire to avoid future enforcement action from the ICO.”