ICO warns NHS employees that unlawfully accessing patient records is an offence

The Information Commissioner’s Office (ICO) has reminded NHS staff about the potentially serious consequences of prying into patients’ medical records without a valid reason. The warning comes after a former health care assistant was ordered to pay a total of £1,715 in fines and costs after pleading guilty to offences of unlawfully obtaining and unlawfully disclosing personal data.

Colchester Magistrates’ Court was told that, while employed as a healthcare assistant by Colchester Hospital University NHS Foundation Trust, Brioney Woolfe accessed the medical records of several individuals without a business purpose to do so.

Following on from a complaint by a patient, an investigation established that, between December 2014 and May 2016, Woolfe had accessed the records of 29 individuals including family members, colleagues and others where no connection with the defendant is known. Some of the information obtained was subsequently shared with others. That was not only a breach of patient confidentiality, but also against the Data Protection Act.

Woolfe (29) – of Stour Close, Dovercourt in Essex – was fined £400 for the offence of obtaining personal data and a further £650 for the offence of disclosing personal data. She was also ordered to pay a contribution of £600 towards prosecution costs in addition to a victim surcharge of £65.

The case is one of several ICO prosecutions involving staff illegally accessing health records in recent months.

Steve Eckersley, the ICO’s head of enforcement, said: “Once again, we see an NHS employee putting themselves into serious trouble by letting their personal curiosity get the better of them. Patients are entitled to have their privacy protected. Those who work with sensitive personal data need to know that they cannot just access it or share it with others when they feel like doing so. The law is clear and the consequences of breaking the law can be severe.”

TalkTalk fined £100,000

The ICO has fined TalkTalk Telecom Group plc £100,000 after it failed to look after its customers’ data and risked that data falling into the hands of scammers and fraudsters. An ICO investigation found TalkTalk breached the Data Protection Act because the company allowed staff to have access to large quantities of customers’ data. Its lack of adequate security measures left the data open to exploitation by rogue employees.

The breach came to light in September 2014 when TalkTalk started receiving complaints from customers that they were receiving scam calls. Typically, the scammers pretended they were providing support for technical problems. They quoted customers’ addresses and TalkTalk account numbers.

The ICO launched an investigation into how customer details – names, addresses, phone numbers and account numbers – were compromised. The investigation found that the issue centred on a TalkTalk portal through which customer information could be accessed.

One of the companies with access to the portal was Wipro, a multinational IT services business in India that resolved high level complaints and addressed network coverage problems on TalkTalk’s behalf.

A specialist investigation conducted by TalkTalk identified three Wipro accounts that had been used to gain unauthorised and unlawful access to the personal data of up to 21,000 customers. 40 Wipro employees had access to the data of between 25,000 and 50,000 TalkTalk customers. Staff were able to:

*log-in to the portal from any Internet-enabled device. No controls were put in place to restrict access to devices linked to Wipro

*carry out ‘wildcard’ searches – for example, entering ‘A*’ to return all surnames beginning with that letter. This allowed staff to view large numbers of customer records at any given time and export data

*view up to 500 customer records at a time

The ICO found this level of access was unjustifiably wide-ranging and put the data at risk.

Focus on the real victims

Information Commissioner Elizabeth Denham explained: “TalkTalk may consider itself to be the victim here, but the real victims are the 21,000 individuals whose information was open to abuse by the malicious actions of a small number of people. TalkTalk should have known better and should have put their customers first.”

The ICO has fined TalkTalk because it breached the seventh principle of the Data Protection Act. The business did not have appropriate technical or organisational measures in place to keep personal data secure.

The investigation found that TalkTalk should have been aware of the risks and that the misuse of personal data was likely to cause substantial damage or distress. The business should have been aware of the increasing prevalence of scams and attempted frauds and assessed the measures it had in place to mitigate them.

Over a long period of time, TalkTalk had ample opportunity to implement appropriate measures, but the company failed to do so. It should have made sure the portal could only be accessed from authorised devices and could have taken steps to prevent large-scale accessing and exporting of personal data through the portal.

The ICO investigation didn’t find direct evidence of a link between the compromised information and the complaints about scam calls.

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts