GP Surgery has given my medical history to another patient

I received a call from my GP surgery yesterday and they stated that had printed my medical history summary and given it to another patient in error.

The other patient took the information away and apparently returned it to the surgery later that day when they realized it was not theirs.

The surgery then asked me what i wanted to do about the issue. I suggested that they check their own/NHS data protection reporting requirements and send me a copy of the data supplied to the other patient.

Today after asking again, I received the data. It's as bad as it could be, name, address, date of birth, NI number, NHS no, hospital number, email, mobile and full details of my health conditions (some incredibly sensitive) & prescriptions associated with those conditions and test results inc bloods etc.

The surgery are trying to play it down and suggested that they may be able to get the other patient to sign a disclaimer to say they have not read or made copies. I'm not sure i'm particularly interested in that. They have also said that their Data Protection Officer is not sure it warrants reporting to the ICO, which i find hard to believe.

I am seriously annoyed and would welcome any thoughts or advice.

One of the companies I am involved with has reported itself to the ICO for far less. They replied and said that they were satisfied with how the matter had been dealt with and no further action. There is nothing to be gained by them not reporting it, I find it bizarre that they would not.

It's all work and takes time, if they can mollify the OP without doing it then it makes sense.

‘A minor error in the grand scheme of things?’ In terms of protecting a patient’s data this is about as big an error as it gets, short of plastering it on social media.

OP has every right to feel aggrieved.

I bought my house from a GP who was the on-call doctor for the local Police force. When I cleared the office above the garage I found roughly 5000 copies of the paperwork relating to them being called out to attend to someone during their arrest. The paperwork included the 3rd parties full name, medical condition and details of treatment given.

I class this as pretty sensitive. I called the ICO to ask for advice. They asked if I could pop them in my recycling bin.

Based on my interaction with them, I wouldn't imagine the ICO to go tearing around to your doctors surgery to conduct a full audit.

Ask for a full, unreserved apology, an undertaking that the matter will be investigated, detailed explanation given and steps taken, whilst reserving the option to take further action should the breach ultimately prove to cause you any form of harm or inconvenience in the future?

I tend to side with Bill. It's one patient's details disclosed by mistake to one other patient who may not even have read the details. It hasn't been done maliciously nor for commerical gain.

If it had happened to me I would expect an unreserved apology and an assurance that the error had been investigated in accordance with NHS and ICO requirements and that measures had been taken to ensure it cannot happen again.

It doesn't really matter what the layperson might think, from a healthcare perspective it's a serious error. Patient confidentiality is absolutely sacrosanct and any breach is taken very seriously, it's just how it is.

I would certainly be expecting them to pay for a fraud monitoring service (e.g. experian) for at least a year. As the others have said, patient PII is protected health information and (should) be held to an even higher standard of protection, so they should deffo face an ICO investigation !

Depends on how many other people the same type of mistake has happened to.

And just because it hasn't ended badly (hopefully!) isn't exactly mitigation of the original failure.