GDPR Data Breach
Discussion
Unsure how to proceed with this but here goes but bare with me while I map it out.
I had a MRI scan on the NHS back in September 2022 and was told the disc images and report would be due in three weeks and to make a request to Medical Legal Department. I gave it a month and then told there was a delay getting the report. Again I gave them two months so end of November 2022. Told both parts weren't ready so they lied and passed me from pillar to post until mid December. Given I've had scans every six months for the last 3 years I know how difficult it can be to get info from the health trust, I filled in plenty of consent forms sent photo ID etc
So 20th December I get an email with my name and Data Protection SAR at the top. It says PRIVATE and CONFIDENTIAL and attachments about the importance of GDPR and keeping my own data secure. Except the attachments aren't for me and contain the personal information of a stranger, it's a Subject Access Request from a Police Force with the name, address, postcode, healthcare number of a woman who it seems has applied for a job. The address at the top is a police station and it seems to be for a driving job.
So clearly they've breached GDPR but I googled my name and the police force and there is a man with the same name as me. who is deputy chief. Surely they haven't just typed my name into the system and picked it out without checking it's the right email address. I replied back on the 21st explaining that they've sent me the information of a complete stranger and breached their own GDPR. I have yet to receive a reply. Also on my mind is did they send my information to the police email.
Should I send it to the ICO, should I contact the Police force and ask if they got my records, should I just keep emailing the Medical Legal, unsure how to proceed but a relative told me over Christmas that as manager of a bank they have sacked a few careless folk for doing the exact same thing.
I had a MRI scan on the NHS back in September 2022 and was told the disc images and report would be due in three weeks and to make a request to Medical Legal Department. I gave it a month and then told there was a delay getting the report. Again I gave them two months so end of November 2022. Told both parts weren't ready so they lied and passed me from pillar to post until mid December. Given I've had scans every six months for the last 3 years I know how difficult it can be to get info from the health trust, I filled in plenty of consent forms sent photo ID etc
So 20th December I get an email with my name and Data Protection SAR at the top. It says PRIVATE and CONFIDENTIAL and attachments about the importance of GDPR and keeping my own data secure. Except the attachments aren't for me and contain the personal information of a stranger, it's a Subject Access Request from a Police Force with the name, address, postcode, healthcare number of a woman who it seems has applied for a job. The address at the top is a police station and it seems to be for a driving job.
So clearly they've breached GDPR but I googled my name and the police force and there is a man with the same name as me. who is deputy chief. Surely they haven't just typed my name into the system and picked it out without checking it's the right email address. I replied back on the 21st explaining that they've sent me the information of a complete stranger and breached their own GDPR. I have yet to receive a reply. Also on my mind is did they send my information to the police email.
Should I send it to the ICO, should I contact the Police force and ask if they got my records, should I just keep emailing the Medical Legal, unsure how to proceed but a relative told me over Christmas that as manager of a bank they have sacked a few careless folk for doing the exact same thing.
May well be worth looking up who is the Data Protection Officer for the NHS Trust concerned, and contacting them directly to make a formal notification of the GDPR breach. Even if you can't find the named individual, there will certainly be a published DPO email to start the ball rolling.
I've just found my local NHS Trust DPO email by googling:
"Mylocalhospital NHS Trust GDPR data protection officer"
They will have a formal process in place to deal with it, and having known several DPOs both in the NHS and local government, they would normally take it very seriously. Certainly in more than one organisation in which I've worked, DPO breaches had to be notified to senior management (Chief Exec's office).
ETA:
If you don't get any joy from this, make a formal complaint to the Trust via their complaints procedure, and ultimately escalate to the ICO. Obviously keep a record of all correspondence - letters, emails etc.. and make notes of the dates of all contact, so you have a documented timeline of everything.
Further ETA:
The NHS national body responsible for data protection across the country is NHS Digital.
Jon Moore is the NHS Digital Data Protection Officer, and can be contacted on:
enquiries@nhsdigital.nhs.uk
Further info on NHS Digital and GDPR is available here.
I've just found my local NHS Trust DPO email by googling:
"Mylocalhospital NHS Trust GDPR data protection officer"
They will have a formal process in place to deal with it, and having known several DPOs both in the NHS and local government, they would normally take it very seriously. Certainly in more than one organisation in which I've worked, DPO breaches had to be notified to senior management (Chief Exec's office).
ETA:
If you don't get any joy from this, make a formal complaint to the Trust via their complaints procedure, and ultimately escalate to the ICO. Obviously keep a record of all correspondence - letters, emails etc.. and make notes of the dates of all contact, so you have a documented timeline of everything.
Further ETA:
The NHS national body responsible for data protection across the country is NHS Digital.
Jon Moore is the NHS Digital Data Protection Officer, and can be contacted on:
enquiries@nhsdigital.nhs.uk
Further info on NHS Digital and GDPR is available here.
Edited by C n C on Wednesday 4th January 08:02
C n C said:
May well be worth looking up who is the Data Protection Officer for the NHS Trust concerned, and contacting them directly to make a formal notification of the GDPR breach. Even if you can't find the named individual, there will certainly be a published DPO email to start the ball rolling.
I've just found my local NHS Trust DPO email by googling:
"Mylocalhospital NHS Trust GDPR data protection officer"
They will have a formal process in place to deal with it, and having known several DPOs both in the NHS and local government, they would normally take it very seriously. Certainly in more than one organisation in which I've worked, DPO breaches had to be notified to senior management (Chief Exec's office).
ETA:
If you don't get any joy from this, make a formal complaint to the Trust via their complaints procedure, and ultimately escalate to the ICO. Obviously keep a record of all correspondence - letters, emails etc.. and make notes of the dates of all contact, so you have a documented timeline of everything.
Further ETA:
The NHS national body responsible for data protection across the country is NHS Digital.
Jon Moore is the NHS Digital Data Protection Officer, and can be contacted on:
enquiries@nhsdigital.nhs.uk
Further info on NHS Digital and GDPR is available here.
^^^Wot he says^^^I've just found my local NHS Trust DPO email by googling:
"Mylocalhospital NHS Trust GDPR data protection officer"
They will have a formal process in place to deal with it, and having known several DPOs both in the NHS and local government, they would normally take it very seriously. Certainly in more than one organisation in which I've worked, DPO breaches had to be notified to senior management (Chief Exec's office).
ETA:
If you don't get any joy from this, make a formal complaint to the Trust via their complaints procedure, and ultimately escalate to the ICO. Obviously keep a record of all correspondence - letters, emails etc.. and make notes of the dates of all contact, so you have a documented timeline of everything.
Further ETA:
The NHS national body responsible for data protection across the country is NHS Digital.
Jon Moore is the NHS Digital Data Protection Officer, and can be contacted on:
enquiries@nhsdigital.nhs.uk
Further info on NHS Digital and GDPR is available here.
Edited by C n C on Wednesday 4th January 08:02
Absolutely, all day long. Report it direct to the DPO (details WILL be on website) and I'd expect them both to become quite excitable over a breach like this. It's pretty clear cut that systems and/or training need some work if this has happened! (One of my hats is cybersecurity & a side helping of information governance)
As someone else mentioned, I'd be very surprised if you didn't get an extremely quick response from the DPOs, they understand the significance of this and the potential ramifications.
You could also report to the ICO given the nature of the organisations concerned. The ICO is overwhelmed & generally concentrates on mass breaches but it'd do no harm.
If you've not had a response pretty sharpish (I'd give them 72hrs but you might want to be nicer) then I'd escalate right to the top. They won't really understand it but the words 'Data Protection' strike fear into the hearts of CEOs and it then lands on someone's desk with an almighty thud!
You want clear, definitive confirmation from them as to where /if your information has been disseminated to too.
BertBert said:
The background doesn't make much sense to me.
Why are you asking Medical Legal for the results of your tests? Did you make a subject access request?
Who is "Medical Legal"? A hospital department?
Medical Legal is the Department in my local healthcare trust which deals with requests for medical reports and scan images. Particularly when reports are needed for personal injury and medical negligence cases.Why are you asking Medical Legal for the results of your tests? Did you make a subject access request?
Who is "Medical Legal"? A hospital department?
Pot Bellied Fool said:
C n C said:
May well be worth looking up who is the Data Protection Officer for the NHS Trust concerned, and contacting them directly to make a formal notification of the GDPR breach. Even if you can't find the named individual, there will certainly be a published DPO email to start the ball rolling.
I've just found my local NHS Trust DPO email by googling:
"Mylocalhospital NHS Trust GDPR data protection officer"
They will have a formal process in place to deal with it, and having known several DPOs both in the NHS and local government, they would normally take it very seriously. Certainly in more than one organisation in which I've worked, DPO breaches had to be notified to senior management (Chief Exec's office).
ETA:
If you don't get any joy from this, make a formal complaint to the Trust via their complaints procedure, and ultimately escalate to the ICO. Obviously keep a record of all correspondence - letters, emails etc.. and make notes of the dates of all contact, so you have a documented timeline of everything.
Further ETA:
The NHS national body responsible for data protection across the country is NHS Digital.
Jon Moore is the NHS Digital Data Protection Officer, and can be contacted on:
enquiries@nhsdigital.nhs.uk
Further info on NHS Digital and GDPR is available here.
^^^Wot he says^^^I've just found my local NHS Trust DPO email by googling:
"Mylocalhospital NHS Trust GDPR data protection officer"
They will have a formal process in place to deal with it, and having known several DPOs both in the NHS and local government, they would normally take it very seriously. Certainly in more than one organisation in which I've worked, DPO breaches had to be notified to senior management (Chief Exec's office).
ETA:
If you don't get any joy from this, make a formal complaint to the Trust via their complaints procedure, and ultimately escalate to the ICO. Obviously keep a record of all correspondence - letters, emails etc.. and make notes of the dates of all contact, so you have a documented timeline of everything.
Further ETA:
The NHS national body responsible for data protection across the country is NHS Digital.
Jon Moore is the NHS Digital Data Protection Officer, and can be contacted on:
enquiries@nhsdigital.nhs.uk
Further info on NHS Digital and GDPR is available here.
Edited by C n C on Wednesday 4th January 08:02
Absolutely, all day long. Report it direct to the DPO (details WILL be on website) and I'd expect them both to become quite excitable over a breach like this. It's pretty clear cut that systems and/or training need some work if this has happened! (One of my hats is cybersecurity & a side helping of information governance)
As someone else mentioned, I'd be very surprised if you didn't get an extremely quick response from the DPOs, they understand the significance of this and the potential ramifications.
You could also report to the ICO given the nature of the organisations concerned. The ICO is overwhelmed & generally concentrates on mass breaches but it'd do no harm.
If you've not had a response pretty sharpish (I'd give them 72hrs but you might want to be nicer) then I'd escalate right to the top. They won't really understand it but the words 'Data Protection' strike fear into the hearts of CEOs and it then lands on someone's desk with an almighty thud!
You want clear, definitive confirmation from them as to where /if your information has been disseminated to too.
I'm not at all surprised this happens as the department seems a complete mess and more like a buck passing department. Over three months to get an MRI scan disc and medical report, dozens of emails and never the same person replying. When I had a scan done privately it took 24 hours and I had them the report in my possession.
As predicted here they responded to my email asking them to phone the manager yesterday morning.
Within 20 seconds on the phone to the manager she said it was because they were using a new computer system. So I ask does the new system automatically add attachments. They said no, then they apologised and admitted it was human error and someone had dragged it into my folder and sent it to me. I then ask why I hadn't received any of my own information just the strangers. They couldn't say why that was and said none of my information had been sent to the wrong email. can't prove otherwise so I'll have to take their word on that. They told me they'd actually had training on GDPR a few weeks ago. However the girl that made the error has been there for over four years.
Again to make it clear I'm not out to get anyone sacked but I've worked for companies and organisations that have whole departments dedicated to checking and double checking these things so they don't happen and it seems procedures are followed rigorously enough in this department.
Within 20 seconds on the phone to the manager she said it was because they were using a new computer system. So I ask does the new system automatically add attachments. They said no, then they apologised and admitted it was human error and someone had dragged it into my folder and sent it to me. I then ask why I hadn't received any of my own information just the strangers. They couldn't say why that was and said none of my information had been sent to the wrong email. can't prove otherwise so I'll have to take their word on that. They told me they'd actually had training on GDPR a few weeks ago. However the girl that made the error has been there for over four years.
Again to make it clear I'm not out to get anyone sacked but I've worked for companies and organisations that have whole departments dedicated to checking and double checking these things so they don't happen and it seems procedures are followed rigorously enough in this department.
Edited by sutoka on Friday 6th January 06:43
Pot Bellied Fool said:
C n C said:
May well be worth looking up who is the Data Protection Officer for the NHS Trust concerned, and contacting them directly to make a formal notification of the GDPR breach. Even if you can't find the named individual, there will certainly be a published DPO email to start the ball rolling.
I've just found my local NHS Trust DPO email by googling:
"Mylocalhospital NHS Trust GDPR data protection officer"
They will have a formal process in place to deal with it, and having known several DPOs both in the NHS and local government, they would normally take it very seriously. Certainly in more than one organisation in which I've worked, DPO breaches had to be notified to senior management (Chief Exec's office).
ETA:
If you don't get any joy from this, make a formal complaint to the Trust via their complaints procedure, and ultimately escalate to the ICO. Obviously keep a record of all correspondence - letters, emails etc.. and make notes of the dates of all contact, so you have a documented timeline of everything.
Further ETA:
The NHS national body responsible for data protection across the country is NHS Digital.
Jon Moore is the NHS Digital Data Protection Officer, and can be contacted on:
enquiries@nhsdigital.nhs.uk
Further info on NHS Digital and GDPR is available here.
^^^Wot he says^^^I've just found my local NHS Trust DPO email by googling:
"Mylocalhospital NHS Trust GDPR data protection officer"
They will have a formal process in place to deal with it, and having known several DPOs both in the NHS and local government, they would normally take it very seriously. Certainly in more than one organisation in which I've worked, DPO breaches had to be notified to senior management (Chief Exec's office).
ETA:
If you don't get any joy from this, make a formal complaint to the Trust via their complaints procedure, and ultimately escalate to the ICO. Obviously keep a record of all correspondence - letters, emails etc.. and make notes of the dates of all contact, so you have a documented timeline of everything.
Further ETA:
The NHS national body responsible for data protection across the country is NHS Digital.
Jon Moore is the NHS Digital Data Protection Officer, and can be contacted on:
enquiries@nhsdigital.nhs.uk
Further info on NHS Digital and GDPR is available here.
Edited by C n C on Wednesday 4th January 08:02
Absolutely, all day long. Report it direct to the DPO (details WILL be on website) and I'd expect them both to become quite excitable over a breach like this. It's pretty clear cut that systems and/or training need some work if this has happened! (One of my hats is cybersecurity & a side helping of information governance)
As someone else mentioned, I'd be very surprised if you didn't get an extremely quick response from the DPOs, they understand the significance of this and the potential ramifications.
You could also report to the ICO given the nature of the organisations concerned. The ICO is overwhelmed & generally concentrates on mass breaches but it'd do no harm.
If you've not had a response pretty sharpish (I'd give them 72hrs but you might want to be nicer) then I'd escalate right to the top. They won't really understand it but the words 'Data Protection' strike fear into the hearts of CEOs and it then lands on someone's desk with an almighty thud!
You want clear, definitive confirmation from them as to where /if your information has been disseminated to too.
https://ico.org.uk/action-weve-taken/data-security...
Heath sector is responible for 19% all reported incidents, 851 reported incidents last year-over 2 a day. Every day. The highest of any sector. And thats just the ones which are reported...
But hey, down from over 5 a day in 2021. So last year, more tham twice a day someone's health data was subject to a reportable data breach..
All trusts will need to have a senior offier appointed as the Caldicott Guardian
https://www.gov.uk/government/publications/the-cal...
Whether or not it's an effective thing to do, personally I would get in touch with the trust and ask who fulfills this role and complain to them (in addition to complaining to the admin team or whoever else is first line).
We shouldn't let this kind of thing just slide, imho. (But having worked with various NHS systems and data teams, in my experience they will jump on this, especially if a (supplier delivered) system is involved. Any system should prevent inadvertant dragging and dropping of clinical records!).
https://www.gov.uk/government/publications/the-cal...
Whether or not it's an effective thing to do, personally I would get in touch with the trust and ask who fulfills this role and complain to them (in addition to complaining to the admin team or whoever else is first line).
We shouldn't let this kind of thing just slide, imho. (But having worked with various NHS systems and data teams, in my experience they will jump on this, especially if a (supplier delivered) system is involved. Any system should prevent inadvertant dragging and dropping of clinical records!).
Edited by CloudStuff on Friday 6th January 22:34
Edited by CloudStuff on Friday 6th January 22:36
Not wishing to have an internet argument, but as an ex DPO of hospital trust, I do know what Im talking about.
Reporting to tneir dpo/ the ICO is the right approach.
The Caldicott, much like the SIRO ( senior information risk officer) will pass this onto the DPO to action, so its easier to go to tnem. Remmeber its not the OP's data who has been breached, so its jnlikely they will hear back.
The request for your data is a seperate issue, and still valid. Keep pushing- nhs guidance is that you should have this data within 20 days
Reporting to tneir dpo/ the ICO is the right approach.
The Caldicott, much like the SIRO ( senior information risk officer) will pass this onto the DPO to action, so its easier to go to tnem. Remmeber its not the OP's data who has been breached, so its jnlikely they will hear back.
The request for your data is a seperate issue, and still valid. Keep pushing- nhs guidance is that you should have this data within 20 days
williamp said:
Not wishing to have an internet argument, but as an ex DPO of hospital trust, I do know what I'm talking about.
Reporting to their dpo/ the ICO is the right approach.
The Caldicott, much like the SIRO ( senior information risk officer) will pass this onto the DPO to action, so its easier to go to them. Remmeber its not the OP's data who has been breached, so its unlikely they will hear back.
The request for your data is a seperate issue, and still valid. Keep pushing- nhs guidance is that you should have this data within 20 days
Reporting to their dpo/ the ICO is the right approach.
The Caldicott, much like the SIRO ( senior information risk officer) will pass this onto the DPO to action, so its easier to go to them. Remmeber its not the OP's data who has been breached, so its unlikely they will hear back.
The request for your data is a seperate issue, and still valid. Keep pushing- nhs guidance is that you should have this data within 20 days
BertBert said:
It's simply human error from overworked people. Doesn't make it right, but the NHS is ducked so mistakes are going to happen
What outcome do you want OP?
The outcome I wanted was to know my personal information, scans and medical reports weren't being sent to the wrong person. For all I know the person on the attachments could have been on the phone saying the same thing having recieved my information.What outcome do you want OP?
The difference is that there's not a lot someone could do with my MRI scans but someone with a grudge against a police force or someone wanting to join could do a lot with what I received. Address was in Northern Ireland so that adds another dimension to it.
Not defending the error, but now that you’ve made them aware why are you still pursuing this?
Are you aware how much time this sort of thing takes from already overstretched staff? Most departments are short staffed and this increases the risk of human error,
London trusts are introducing new digital system of ‘virtual wards’ to monitor patients at home to try to detect when they are deteriorating while on a waiting list for surgery,
It’s an alternative to giving hospitals the resources (staff mainly) to actually treat them.
Are you aware how much time this sort of thing takes from already overstretched staff? Most departments are short staffed and this increases the risk of human error,
London trusts are introducing new digital system of ‘virtual wards’ to monitor patients at home to try to detect when they are deteriorating while on a waiting list for surgery,
It’s an alternative to giving hospitals the resources (staff mainly) to actually treat them.
sociopath said:
So did the form actually have any personal data on it, or just the person's name and address as you mentioned?
If it's the latter, wait until you hear about telephone directories
Would you want your full name, address, telephone number, healthcare number, job applied for, police job location sent out to complete strangers.If it's the latter, wait until you hear about telephone directories
In fact since you don't seem to care why not post all your personal information below on a public forum full of complete strangers, I mean what's the worst that could happen.
Archie2050 said:
Not defending the error, but now that you’ve made them aware why are you still pursuing this?
Are you aware how much time this sort of thing takes from already overstretched staff? Most departments are short staffed and this increases the risk of human error,
London trusts are introducing new digital system of ‘virtual wards’ to monitor patients at home to try to detect when they are deteriorating while on a waiting list for surgery,
It’s an alternative to giving hospitals the resources (staff mainly) to actually treat them.
Who said I was still pursuing it, I emailed the relevant people and when I got a reply I stopped. Are you aware how much time this sort of thing takes from already overstretched staff? Most departments are short staffed and this increases the risk of human error,
London trusts are introducing new digital system of ‘virtual wards’ to monitor patients at home to try to detect when they are deteriorating while on a waiting list for surgery,
It’s an alternative to giving hospitals the resources (staff mainly) to actually treat them.
Edited by sutoka on Sunday 8th January 09:23
williamp said:
Heath sector is responible for 19% all reported incidents, 851 reported incidents last year-over 2 a day. Every day. The highest of any sector. And thats just the ones which are reported...
Late last year we had a couple of weeks of getting loads of phishing emails at work that, surprisingly to me, came from genuine NHS email addresses, with Capita behind them.I did a bit of Googling and found reports that a cyber security firm did some research and found hundreds of compromised machines. Some ISPs were blocking all NHS emails!
I reported it to NHS Digital (so probably a Capita employee picks it up) and heard nothing back.
Gassing Station | Speed, Plod & the Law | Top of Page | What's New | My Stuff