A health firm has been fined £200,000 for emailing audio recordings of outpatient letters in an unencrypted format, and the transcripts of these conversations were then searchable online via an insecure FTP server.
The Information Commissioner's Office (ICO) issued the fine to the HCA International Ltd after it was alerted to the fact the transcripts of outpatients letters could be found online.
The audio recordings were sent to a company in India for transcribing before being sent back to the staff at HCA International. However, the company used an insecure FTP to store and send the data, meaning it was available online for anyone to access.
A customer made the firm aware of this on 8 April, 2015 and the ICO subsequently investigated.
The ICO has now issued the fine because HCA International Ltd had failed to adequately ensure third-party contractors were following adequate data protection guidelines, as it is required to do when collecting and sharing personal data, and sending the audio recording unencrypted.
Head of ICO enforcement, Steve Eckersley said the case was particularly galling given the company was aware of it data protection requirements in-house but had not considered anything beyond this.
"The hospital had a duty to keep the information secure. Once information is online it can be accessed by anyone and could have caused even more distress to people who were already going through a difficult time," he said.
"What makes this case even worse is that we know the company is aware of its data protection obligations and already has appropriate safeguards in place in other areas of its business.
"The situation could have been avoided entirely if HCA International had taken the time to check up on the methods used by the contract company."
A Lister Fertility Clinic Spokesman, the division of HCA in which the breach happened, said the firm would be improving security as a result of the incident.
"We take the protection of our patients' confidential and sensitive information extremely seriously, however on this occasion we fell short of both the standards of the ICO and the high standards we set for ourselves," a spokesperson said.
"We have apologised to the seven patients affected for the distress this may have caused and we no longer work with the company involved. The Lister Fertility Clinic has put in place more rigorous checks and measures to ensure the safety of our patients' information."
Mark Vartanyan was working for Norwegian e-healthcare firm Dignio when he was arrested
Samsung can't see a way to profitably compete against Amazon and Google
Fix being rushed out - but not quite as quickly as an ambulance to an emergency
Massive miner Rio Tinto claims 20 per cent of pit-to-port train kilometres in Australia are now driverless
Rio Tinto today, TfL tomorrow?