NHS trust hit with £60,000 ICO fine after database oversight

The Information Commissioner’s Office (ICO) has fined St George's NHS Trust in London £60,000 after it sent sensitive medical records by post to the wrong address.

The Trust twice sent personal information to an address that the patient in question hadn't lived at for five years.

The patient's correct address had been logged on the NHS Spine, national care record while the patient had also supplied the Trust with the correct address prior to an examination.

“It’s hard to imagine a more distressing situation for a vulnerable person than the thought of their sensitive health information being sent to someone who had no reason to see it,” said Stephen Eckersley, the ICO's head of enforcement.

The ICO was critical of the processes in place at the Trust, which allowed staff to bypass prompts intended to remind them to check patient details using Spine.

“This breach was clearly preventable and is the result of the Trust’s failure to make sure the contact details they have for their patients are accurate and up to date,” added Eckersley.

The data breach at the Trust is also indicative of the lack of faith shown by NHS staff in the Spine system.

The current deputy government CIO, Liam Maxwell, has previously suggested that the health service would be better off using health systems from Microsoft or Google than using the NHS Spine.