ICO’s latest fine serves as a reminder of the willingness of the regulator to fine health organisations for failing to keep patient sensitive information secure.
This medical centre in London was fined by the Information Commissioner’s Office after it left highly sensitive medical information in an empty unsecured building – for more than 18 months. The personal data, included medical records, prescriptions and patient identifiable medicine that had been left unprotected. The medical centre had not been secured and neither had patient sensitive data – access to the building was unsupervised.
The alarm was raised by another local GP surgery who had expressed interest in taking over the lease of the second site belonging to Bayswater Medical Centre (BMC), which up until that time was being used as another storage facility. Following a visit to the site, the other practice sent an email to BMC bringing to its attention the fact that unsecured ‘Lloyd George Records’ were present at the premises – BMC acknowledged that records were present but took no action.
The local clinical commissioning group also got in touch with BMC raising concerns about the security of patient information at the premises, and at the same time also referring their concerns to NHS England. A site inspection by NHS England reported that the premises were secured by a single lock and had no other physical security measures such as an alarm. Photographs were taken by NHS England of what they discovered, including repeat prescriptions left on view in the office to medical records stored in unlocked cabinets with the keys left in the cabinets.
The ICO considered the contravention serious and further exacerbated as a result of the length of time the personal data was left unsecured – this was despite BMC being on notice that this was the case and a representative of the practice visiting the premises on a weekly basis but yet no action was taken to secure patient data.
A fine of £80,000 was issued but this was reduced to £35,000 after BMC’s ability to pay was taken into account.
Our content explained
Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.