St George’s fined for stray letters

St George’s Healthcare NHS Trust has been issued with a £60,000 fine for sending a vulnerable patient’s medical details to the wrong address.

This is the fourth fine issued to an NHS trust by the Information Commissioner’s Office in four months.

The penalty notice says two letters containing highly sensitive personal data were sent to the patient’s old address in May 2011.

These included a summary of confidential allegations made by the person and details of a physical examination that had been undertaken and its findings.

The letters were addressed to the correct recipient, but they had not lived at the address they were sent to for nearly five years.

The ICO’s investigation found that the patient’s current address had been given to trust staff before the medical examination took place and that it had been logged on the Spine in June 2006.

The mistake was made after staff failed to use the address supplied, or to check that the person’s recorded address on their local patient database – iClip – matched the data on the Spine.

The trust had set-up a prompt to remind staff about the need to check and update patient information against the Spine.

But the ICO investigation found the trust also knew the prompt could be bypassed and that it had failed to address the problem.

The report says the data controller was aware that many staff found the iClip system difficult to use and that conducting a PDS against the Spine was “cumbersome.”

Aggravating factors that were taken into account when deciding on a penalty were that two similar security breaches occurred within seven days of each other, and that the unauthorised disclosure to a third party may prejudice any criminal prosecution arising from the allegations.

However, the report says both letters may have been disclosed to the unintended recipient during court proceedings.

ICO head of enforcement Stephen Eckersley said the breach was clearly preventable and it is vital that NHS trusts are able to keep patients’ details secure.

“It’s hard to imagine a more distressing situation for a vulnerable person than the thought of their sensitive health information being sent to someone who had no reason to see it,” he said.

A trust spokesperson said it accepted the penalty and has “sincerely apologised” to those affected for the distress caused.

"As soon as we discovered this mistake we reported it to the ICO and contacted those affected to explain what had happened,” the spokesperson said.

"We launched an immediate investigation and have introduced a number of measures to help prevent similar incidents in the future, including clearer documentation and additional training for staff.

“We have also made improvements to our information systems to ensure that our staff always have access to the most up to date patient contact details."

If the trust pays by 1 August the fine will be reduced to £48,000.