The breach occurred when a doctor emailed a letter with patient information to a secretary for formatting, but did not include enough information for the secretary to identify the correct patient, the ICO said in a statement. The doctor also misspelled the name of the patient, which led to the report being sent to a former patient with a similar name.
The ICO found that neither person had received data protection training and that the board did not have adequate checks in place to ensure that personal information was sent to the correct person. These poor practices were also used by other clinical and secretarial staff across the organization, the ICO noted.
“Aneurin Bevan Health Board failed to have suitable checks in place to keep the sensitive information they handled secure. This case could have been extremely distressing to the individual and their family and may have been prevented if the information had been checked prior to it being sent”, commented Stephen Eckersley, ICO’s head of enforcement.
The board also agreed to address the concerns expressed by the ICO during its investigation. This includes ensuring all staff are made aware of and trained on the organization’s policies on storage and use of personal data, that there is appropriate and regular monitoring of compliance with policies on data protection and IT security, and that new checking processes are introduced across all sites to confirm a patient’s identity before personal information is sent out.