Jump to content
Chickens Dogs Cats Rabbits Guinea Pigs Hamsters and Gerbils Birds
Lydia

Addressing patient confidentiality breach by GP surgery

By Lydia, in The Nesting Box

Recommended Posts

Lydia All Knowing Superchicken

Lydia

Posted
Posted

Today my GP surgery sent me an email. However, they sent the email to lots of people and included all our emails in the 'TO' box, so my email address, along with everyone else's, has been circulated.

 

I have been able to identify at least 7 people from that email (friends, a couple of ex-colleagues, a couple of people I went to school with and a teacher from my secondary school). They have probably been able to identify me, too, especially as I have an unusual surname.

 

Luckily the email itself did not contain any medical or sensitive information. But it does confirm that we are patients of the practice of course. I consider that a breach of confidentiality. Plus, of course, those emails could be copied and used in different ways or sold on to a third party, which is contrary to the Data Protection Act. In addition, your email address is often used as your login to various secure sites these days.

 

I am livid! This stuff is so easy to get right that I cannot believe that they, a GP surgery, got it wrong. They have sent another email with a somewhat 'jokey' apology, blaming a 'slip of the finger' and saying that we only got 500 emails each, not all of them. So that's all right then!!!

 

I wonder if anyone knows the best way to tackle this, please? I have written to the Practice Manager but I have a feeling he will just come back with a pithy apology and a shrug of the shoulders. Who else should I go to? What else should I do?

 

I did Google but the information seems to be geared towards what GPs should do if they have breached confidentiality or what you should do if your GP has breached your medical information. In this case it's the administration that has breached confidentiality, not the GPs themselves.

 

Any advice gratefully appreciated. Many thanks

Link to comment
Share on other sites
merlina All Knowing Superchicken

merlina

Posted
Posted

It rather depends what outcome you're looking for?

 

You could certainly tell them that

a) You consider that they have disclosed highly confidential information

b) They have a duty under the Data Protection Act to safeguard this information

c) Failure to do so by having secure processes in place is a contravention of the Acts

d) You want to know what they are doing to make sure that this never happens again and if you are not satisfied with their response you will be making a formal complaint to the Data Protection Registrar

 

I would be more than livid too :twisted:

Link to comment
Share on other sites
soapdragon Golden Egg

soapdragon

Posted
Posted

There must be a regulatory body for GPs :think: General Medical Council? Prob your Citizens Advice could tell you. I'd get a contact for this board/body and write to them telling them what has happened and how you feel this is a breach etc, copying in your GP practice, of course.

 

I hate these 'round robin' e mails and you certainly should not be getting them from the GP :evil:

Link to comment
Share on other sites
kissinuk Frequent Layer

kissinuk

Posted
Posted

It isn't great that this has happened, but at the end of the day it's only an email address that has been breached, I wouldn't think you'd need to take it any further. Sounds like it was a simple human error.

 

At least it wasn't anything serious like a bank card going to the wrong address.

Link to comment
Share on other sites
Olly SUPER CHICKEN!!!

Olly

Posted
Posted

I am inclined to agree with kissinuk - yes, I'd be pretty cross but these things happen and as you say, it didn't reveal any sensitive information.

 

If you do decide to take it further then the correct course would be to contact the Information Commissioner because it's a potential breach of the Data Protection Act. However you would have to raise it with the GP first. In reality I doubt the ICO would do much in the case of a minor breach such as this.

Link to comment
Share on other sites
The Dogmother Eggsistentialist

The Dogmother

Posted
Posted

Blumming annoying, for you :roll: I am with Olly on this one - no personal information has been passed on, but they are still in breach of the Data Protections Act, and they really ought to know better, especially as they are in possession of very confidential, private data.

 

I would complain to the Practice Manager, and say that you're not taking it further, but that they really ought to have more stringent controls in place... in fact The Act demands that they do have... and that one more slip and they're in trouble.

 

Our street has a community email thing which goes round to discuss the annual street party; one resident persists in putting all the emails in the 'To' field; they are on their 2nd and final warning from me :wink:

Link to comment
Share on other sites
Olly SUPER CHICKEN!!!

Olly

Posted
Posted

I think this raises a much wider issue about emails and confidentiality - a lot of people just don't think about the fact that they are passing on other people's email addresses, nor that they have forwarded something and that the original sender might not intend it to have been seen by others, or that there might be other information in the chain that has dropped out of sight unless you scroll down.

 

My advice (and I talk about email risk quite a bit) is 'never write in an email something that you wouldn't put on a postcard' or an alternative one is '... or shout across a crowded room'.

Link to comment
Share on other sites
gavclojak Chicken Addict

gavclojak

Posted
Posted

They have indeed breached their own Information Governance policy, IG ensures necessary safeguards for appropriate use of patient and personal information.

 

I too would be irritated and would speak to the Practice manager, im sure they are embarrassed by there error. I am guess there will be a disiplinary meeting and it will be noted in their IG significant events folder (yes! I know, we all have to have them) :twisted: but to be honest It is just an email and secure sites need more than that to access personal information

 

I think that at any point you could have walked into your GP waiting room and bumped in to any of those people on that list, unfortunately waiting areas do not give you any privacy from other patients especially when your name is called out.

Link to comment
Share on other sites
Bramble Chicken Addict

Bramble

Posted
Posted

I would certainly speak to the Practice Manager - in this instance there is no real harm done (although I appreciate that's not the point), but it might be different another time and the PM needs to be aware of it and make sure it doesn't happen again. As others have said, the danger with emails is it's all too easy just to press "send" without thinking about the effects and I think they just need to tighten up their policies a bit.

Link to comment
Share on other sites
majorbloodnock Chatty Chicken

majorbloodnock

Posted
Posted

I have to admit this thread has surprised me in several ways, none of them great.

 

I'm surprised a Practice has made a basic mistake like this. Mass mailing by any business shouldn't be in the hands of someone with so little knowledge of the guidelines and laws surrounding such activities.

 

I'm surprised the Practice, when made aware of the issue, failed to take the complaint seriously. Some of the rules around mass mailing are taken very seriously, and contravention could (and has) land a business in significant legal trouble. Even if that's not the case here, the whole subject deserves to be taken seriously.

 

I'm surprised at the responses saying that it's just an email address that's just been disclosed. Whilst, taking the story as it stands, I don't see this as a big risk to any of the addressees, the major security questions aren't related to what's gone wrong, but rather what could have gone wrong. Security, especially in the IT world, is about multiple layers of protection, and as much about processes as technology. The fact someone has been able to access multiple patients' information and disclose some (admittedly in this case, trivial) personal information strongly implies the practice doesn't have robust processes in place for proper handling of this kind of data, and in a medical practice, that's worrying.

 

So has much harm been done? No.

Is that OK, then? No.

Should it be left at that? No.

Should a witch-hunt be embarked upon? No.

Should the practice be made to tighten up? Absolutely.

Whose responsibility is it within the practice? The practice manager.

Should they be asked to provide evidence that steps are being taken? Yes, although for obvious reasons not specifics about security.

What if they continue to be dismissive? That's when I personally would take it further to the GMC as a breach of the Data Protection Act. Carrot first, but big stick if necessary.

Link to comment
Share on other sites
Lydia All Knowing Superchicken

Lydia

Posted
  • Author
Posted

Thank you, everyone for your responses. It's always good to get a balanced view of these things.

 

I had already written a letter of complaint to the Practice Manager when I started the thread. To his credit he responded immediately. He apologised, took responsibility for his staff and their error in this instance and said they had reported the breach to the Information Commissioner. He also said they would no longer be using email to contact patients, which is a shame in this day and age, but if they can't be trusted to get the basics right, then perhaps it's for the best.

 

I think quite a lot of people complained (good) so I think they had no choice but to take it seriously and take swift action.

 

The thing is that I use a number of email addresses but I gave them the one that identifies me by name because I thought I could trust my GP practice. Had I known I would have given them one of the others that doesn't use my name! You live and learn!

 

Thank you all, once again.

Link to comment
Share on other sites
kissinuk Frequent Layer

kissinuk

Posted
Posted

I'm surprised at the responses saying that it's just an email address that's just been disclosed. Whilst, taking the story as it stands, I don't see this as a big risk to any of the addressees, the major security questions aren't related to what's gone wrong, but rather what could have gone wrong. Security, especially in the IT world, is about multiple layers of protection, and as much about processes as technology. The fact someone has been able to access multiple patients' information and disclose some (admittedly in this case, trivial) personal information strongly implies the practice doesn't have robust processes in place for proper handling of this kind of data, and in a medical practice, that's worrying.

 

I never said it was right, only that it was just an email address so is relatively minor. Regulators in the IT world would class this as a "near miss", very unlikely that a fine would be issued or further action taken. Yes they need to clamp down on security, but does someone need to potentially lose their job? No, probably not.

 

Multiple layers of security make no difference if the person requires access to the data to perform thier job. Yes, data will (should) be protected from others, but there will always be a need for certain roles to have direct access. In this case it is probably within his/her role to require access to the email addresses of all patients.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...