NHS employee found accessing medical records of over 2,000 patients
Wrightington, Wigan and Leigh NHS Foundation Trust recently announced that medical records of over two thousand patients were inappropriately accessed by a member of its staff without any legitimate reason for doing so.
The inappropriate access of medical records of 2,172 patients by an employee at the Trust occurred due to “poor computer etiquette” even though the employee had legitimate access to the trust’s electronic health record system, the trust said in its website.
The trust confirmed that the employee who is accused of accessing patients’ medical records had received information governance training as well as training on professional codes of practice and the trust’s Confidentiality Code of Conduct.
Medical records were accessed for over 18 months
It added that the employee accessed various kinds of medical records such as blood results, care pathways, medication, secretary letters & discharge letters of over two thousand patients. According to Manchester Evening News, the employee may have been accessing patient records for over 18 months before getting caught.
In a letter sent to affected patients, Wrightington, Wigan and Leigh NHS Foundation Trust said that it has reason to believe that the access was not malicious and that there is no evidence to suggest that patient information has been shared with third parties.
“The individuals who accessed the information are employees of the trust, working daily and legitimately with healthcare records. However, in this instance, they had no specific reason to access your record.
“Our investigation has shown that, in some cases, records were accessed inappropriately on a single occasion for a short period of time. In other cases, records were accessed multiple times or for longer periods of time,” the letter read.
The Trust said in its website that it will now initiate action in line with its Disciplinary Policy, make the employee undergo education and re-training, refer the employee to the ICO for disciplinary action, and also refer them to the staff member’s professional body.
“This incident is still an ongoing criminal investigation with the Information Commissioner’s Office. Once the ICO has concluded its investigation we will post an update on the Trust website and can contact you directly if you wish us to,” it added.
“Wrightington, Wigan and Leigh NHS Foundation Trust has reported to the ICO allegations of unauthorised access to patient records by multiple members of staff and we are working with the data controller to establish the full facts before considering our next steps,” said an ICO spokesperson.
ICO taking a strong stance against inappropriate use of customer records
In the past few years, the ICO has issued multiple fines to organisations and individuals who had either inappropriately accessed or processed customer data or medical records for various reasons. In July last year, it had fined Independent Inquiry into Child Sexual Abuse (IICSA) £200,000 for failing to protect the identity of possible victims of child abuse after a human error compromised identities of such victims to third parties.
The ‘human error’ occurred in February last year when, instead of putting e-mail addresses of possible child abuse victims in the ‘bcc’ field, an employee at IICSA erroneously pasted e-mail addresses of 90 Inquiry participants in the ‘To’ field.
A month later, the ICO fined Emma’s Diary, a firm providing pregnancy and childcare advice, £140,000 for collecting and selling personal data of more than one million people, including new mums, to The Labour Party prior to the 2017 General Election.
The firm supplied 1,065,220 personal data records to Experian Marketing Services in May last year as part of an agreement where The Labour Party was listed as the latter’s client. Personal data sold by Emma’s Diary to Experian included names of parents, home addresses, children’s dates of birth, and presence of children up to five years old. Such data was provided to the firm by young mums at the time of online and offline registrations.
According to the ICO, personal data obtained by The Labour Party from Emma’s Diary allowed the party to “send targeted direct mail to mums living in areas with marginal seats about its intention to protect Sure Start Children’s centres”.