Jump to content


Kent NHS Trust - serious breach of confidentiality


purplemushroomfairy
style="text-align: center;">  

Thread Locked

because no one has posted on it for the last 2124 days.

If you need to add something to this thread then

 

Please click the "Report " link

 

at the bottom of one of the posts.

 

If you want to post a new story then

Please

Start your own new thread

That way you will attract more attention to your story and get more visitors and more help 

 

Thanks

Recommended Posts

I received a letter from my local NHS informing me that all of my medical records, personal information etc had mistakenly been emailed without anonymity to 6 people within the IT firm who were updating the IT systems.

 

They apologised and said it was serious, they had asked for my details to be deleted and were investigating.

 

I rang my legal insurance who said I must write a letter.

I wondered if there was an example in the files I could use or if one of you could advise.

 

I have a complicated medical history which I would rather wasn't shared but it's the personal details that frightens me as these can be used or sold on.

Thank you

Link to post
Share on other sites

Yes. This is very serious. I wonder if you're the only one or if it happened to others.

 

I would send them an SAR. Do immediately. Include a payment for £10 but tell them that you expected to be returned to you. Ask them for all data that they hold on you, what it was used for, how they acquired it, and who they have shared it with – either deliberately or inadvertently.

 

Tell them that although they have a 40 day time limit to comply, you think that they should escalate this and complete the task within seven days.

 

Secondly, I would send them an FO I request and asking them all information relating to the present data leak including information as to if you were the only person whose data was leaked or if the leak concerned other people. Ask them also whether they have communicated any details of this leak in respect of you or anyone else to the ICO and ask them for a reference number. Ask them for copies of any correspondence that they have sent the ICO relating to this matter.

 

They have 20 days to comply with this request and it is free. Get that request after them immediately – but put it in a separate envelope from the SAR in a separate letter so that there is no confusion and that it doesn't accidentally get "overlooked". They won't be happy about responding to this one.

 

Please will you tell us which local NHS this is.

 

Next, you should begin an immediate complaint to the ICO. Of course the NHS would have had a duty to inform the ICO in any event. But you may as well begin your complaint.

Link to post
Share on other sites

Is the problem that they were sent by a correct method to people who shouldn’t have been sent them?

That they were sent to people who should have had access to the information (& would have been bound by a duty of confidentiality) but they were sent by an insecure method (e.g. outside the N3 network and/or unencrypted) meaning others could have accessed them?

Or a mixture of both??

 

You can also ask “Was it both “necessary” and “proportionate” that they should have been sent at all?” : these points will help establish what went wrong and why (& hint at if others may have suffered the same, too), as well as giving an indication how widely the data may have “leaked”.

 

You should also ask:

a) have they informed the ICO, and

b) have they informed their Caldicott guardian (and ask who that is).

Link to post
Share on other sites

........

 

Secondly, I would send them an FOI request

 

........

They have 20 days to comply with this request and it is free.

..........

 

Please will you tell us which local NHS this is.

 

20 working days for a FOIA request.

 

BF isn’t wrong with his plan, but although they may answer sooner, if they dig their heels in, they can take 40 days and 20 working days (30 days with bank holidays) to respond without breaching their responsibilities.

 

I’d ask for the information, reminding them of their “duty of candour”.

http://www.cqc.org.uk/guidance-providers/regulations-enforcement/regulation-20-duty-candour

 

You are clearly anxious about the extent and effect of this breach, since you have posted here. You might want to highlight that more information may well be able to reassure you, or at least (if it confirms the situation is serious) allow them to provide a summary of how they plan to reduce your anxiety, reducing the risk of further harm....

Link to post
Share on other sites

Thank you for you advice.

The breach has been made by Kent NHS Trust.

I am already finding that my anxiety levels, which I had managed to control, are rising rapidly to the point where I am needing medication to bring them down. As this has coincided I can only conclude that this most recent event has tipped my levels.

Link to post
Share on other sites

I would suggest that you start documenting all the effects this has had on you – including physical/emotional/mental – and also any losses or expenses which you incur as a result. Keep a careful note.

 

If you are suffering then I suggest that you go and see a doctor – and make sure you tell the doctor the whole story so that later on if you need some medical evidence or a report or an opinion then it will be straightforward to get hold of.

 

Apart from any other compensation to which you might be entitled, breaches of the Data Protection Act which cause distress, confer a right to compensation.

Link to post
Share on other sites

“Kent NHS Trust”- do you mean

Kent Community NHS Trust?

Kent and Medway NHS and Social Care Partnership Trust?

Or, some other NHS Trust in Kent ....

 

Edited: you provided a clickable link.

It is the first.

 

In

https://www.kentcht.nhs.uk/wp-content/uploads/2017/03/6797-information-governance-service-provision.pdf

They don’t identify which Consultant Doctor is their Caldicott Guardian, as they claim it is “personal information”

 

They provide a location and phone number in appendix A of

https://www.kentcht.nhs.uk/wp-content/uploads/2017/04/6967-Data-Protection-and-Confidentiality-policy.pdf

But, still no name ....

 

P.35 of their annual report shows that previous their Medical Director (until he left in Feb 2017) was their Caldicott Guarduan.

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/634215/KENTCOMM_Annual_Report_and_Accounts_2016-17.pdf

It is silent as to if the acting medical director after he left took on this role.

Link to post
Share on other sites

It goes without saying that this should never have happened, but unfortunately it has.

 

One thing that you should take some comfort from is that they have noticed that there’s a breach and that they’ve informed you of it, equally it seems that they know who has received the records and I imagine as part of their investigation will be performing a full audit trail to see where your (and potentially lots of other) records went and if they were accessed. Another thing to remember is that usually anyone that works anywhere near patient records is vetted through DBS and has signed a confidentiality agreement that they will not disclose anything that they learn in the course of their time there. Lastly is the sheer volume of information that generally comprises a full medical record, they aren’t easily read and understood by non clinicians and seldom contain information that could make you vulnerable to financial theft.

 

Nevertheless I can totally understand how unsettling it could be but I’d appeal to you to not catastrophise - although they’ve been sent it’s very unlikely they’ve been opened and less likely still that the reader has stuck with it for long enough to learn anything about you.

 

Good luck getting it sorted out.

My views are my own and are not representative of any organisation. if you've found my post helpful please click on the star below.

Link to post
Share on other sites

It goes without saying that this should never have happened, but unfortunately it has.

 

One thing that you should take some comfort from is that they have noticed that there’s a breach and that they’ve informed you of it, equally it seems that they know who has received the records and I imagine as part of their investigation will be performing a full audit trail to see where your (and potentially lots of other) records went and if they were accessed. Another thing to remember is that usually anyone that works anywhere near patient records is vetted through DBS and has signed a confidentiality agreement that they will not disclose anything that they learn in the course of their time there. Lastly is the sheer volume of information that generally comprises a full medical record, they aren’t easily read and understood by non clinicians and seldom contain information that could make you vulnerable to financial theft.

 

Nevertheless I can totally understand how unsettling it could be but I’d appeal to you to not catastrophise - although they’ve been sent it’s very unlikely they’ve been opened and less likely still that the reader has stuck with it for long enough to learn anything about you.

 

Good luck getting it sorted out.

 

Thank you, I am working on catastrophising the events and will attempt to see the gp if the panic continues.

My files were emailed to people working in an IT firm they were sent apparently mistakenly. So while they probably have done nothing it is highly unlikely they would have undergone the stringent checks those actually working for the trust would have.

Writing my letter now.

Link to post
Share on other sites

If the IT firm was working for the trust then they would be bound by a duty of confidence and would likely be DBS checked.

The IT firm should also have an audit trail for any accesss to the information. This is why I suggested you identify:

 

Is the problem that they were sent by a correct method to people who shouldn’t have been sent them?

That they were sent to people who should have had access to the information (& would have been bound by a duty of confidentiality) but they were sent by an insecure method (e.g. outside the N3 network and/or unencrypted) meaning others could have accessed them?

Or a mixture of both??

 

So you have an idea of what risk has been created.

 

What resolution / outcome are you looking for?

Link to post
Share on other sites

  • 3 weeks later...
If the IT firm was working for the trust then they would be bound by a duty of confidence and would likely be DBS checked.

The IT firm should also have an audit trail for any accesss to the information. This is why I suggested you identify:

 

 

 

So you have an idea of what risk has been created.

 

What resolution / outcome are you looking for?

I really want an apology and some form of compensation, though I haven't directly requested that.

Now my letter etc has been passed to a complaints depot.

I received a letter answering my questions refusing FOI because that would have effected their data protection.

Basically told that despite the original letter stating it was my entire record now it is apparently not.

I had an exercise referral and I self referred for counselling - the reasons are private and even my doctor who referred didn't know. It is that information that was shared and was told 'it isn't much'

I informed them that that was confidential and should only have been shared if necessary to another medical professional and I wasn't happy with the response.

Still waiting....

Link to post
Share on other sites

I think you should begin a formal complaint with the ICO.

 

I suggest the way to do this is to use their complaints telephone number – see their website – make the complaint and if possible get a reference number. Follow-up with a letter of complaint.

 

Make it very clear to everyone that you are making two complaints. You're complaining about the leaking of information – your personal data and you are also leaking about their refusal to respond to an FOIA request. Have you sent off an SAR?

 

I should make these complaints straightaway

Link to post
Share on other sites

I asked;

 

What was the detail of the FOIA request?

It may be that some or all of what was requested wasn’t suitable for FOIA but more suited to a DSAR.....

 

Yet, your reply doesn’t actually give the details.

 

I followed the advice from previous posts, so no information was actually given as it would breach their data! Oh the irony.

I will get on to the ICO.

Had no response at all re the SAR has either.

 

Since you haven’t answered about what the precise details of your FOIA request were, it is hard to comment further.

Good luck, but I’m out.

Link to post
Share on other sites

Your previous posts detailed exactly what I should put in. I did that.

I requested full details of the event and manes, Caldicot etc the advice is in a previous reply. I virtually copied your post into my letter so you know what was in the letter because you told me what to put on. There is no need to be so offhand.

I have followed the advice that you so kindly gave and while those questions were answered they have refused the FOI and I still waiting for the SAR.

I have been offered a face to face meeting.

Link to post
Share on other sites

  • Recently Browsing   0 Caggers

    • No registered users viewing this page.

  • Have we helped you ...?


×
×
  • Create New...