02 May 2012


Following up the health data breach incidents noted here the UK Information Commissioner's Office reports that the Aneurin Bevan Health Board has become the first National Health Service organisation to receive a monetary penalty following a serious breach of the Data Protection Act.

The Board was hit with a £70,000 penalty for sending a patient's medical report, featuring what is described as "explicit details" regarding that person’s health, to the wrong person in March 2011.

The error occurred when a consultant emailed a letter to a secretary for formatting, but failed to include sufficient information for the secretary to identify the correct patient. The doctor also misspelt the name of the patient at one point, which led to the report being sent to a former patient with a very similar name. The latter accordingly received a detailed psychological report about a mental health patient.

The Office concluded that neither of the two Health Board staff involved in the incident had received data protection training. It also concluded that the Health Board did not have adequate checks in place to ensure that personal information was sent to the correct person.

In discussing the breach, the Office publicly reminded the NHS that it “holds some of the most sensitive information available ... it is therefore vital that organisations across this sector make sure that their data protection practices are adequate". On to the next data breach report, as leaks aren't only found among the leeks.

The penalty contrasts with those in the US incidents, which amounted to around US$1 per person rather than the £70,000 per person.