London Hospital fined £200,000 over fertility data breach

A London private hospital that made patients’ confidential fertility data freely searchable online has been fined £200,000.

The Information Commissioner’s Office (ICO) has fined private health company HCA International after finding one its private hospitals, Lister Hospital, had not kept patients’ fertility data secure.

An investigation found that the hospital was sending unencrypted audio recordings of  information discussed during private IVF consultations to an Indian transcribing company, which then sent the transcript back to the hospital.

However the Indian company stored both the recordings and the transcripts on an unsecure server, allowing the confidential files to be searched by anyone on the internet.

A Lister Hospital patient uncovered the breach in April 2015 when they found a confidential IVF recording online. HCA had been using the transcribing companies since 2009.

ICO head of enforcement, Steve Eckersley, said HCA had broken the law and betrayed its patients’ trust.

“These people were discussing intimate details about fertility and treatment options and certainly didn’t expect this information to be placed online.”

“The hospital had a duty to keep the information secure. Once information is online it can be accessed by anyone and could have caused even more distress to people who were already going through a difficult time.”

Eckersley said the company had appropriate protections in other parts of its business and the breach could have been avoided if it had simply checked its contractor’s storage methods.

HCA International has 27 hospitals and medical centres in the United Kingdom, most of them based in London, and has been involved in several joint ventures with the NHS.