NHS Lanarkshire has been issued a reprimand by the Information Commissioner’s Office (ICO) after 26 staff on the trust used a WhatsApp group to share patient data, together with names, telephone numbers and addresses, on over 500 events between April 2020 and April 2022.
Staff on the trust, which oversees three hospitals close to Glasgow within the cities of Airdrie, East Kilbride and Wishaw, additionally used the app’s performance to share photographs, movies and screenshots, a few of which included scientific data.
At one level, a non-staff member was added to the group in error, doubtlessly exposing data to an unauthorised particular person.
During its investigation, the ICO found that WhatsApp had been made accessible to the trust’s staff throughout the Covid-stricken spring of 2020 on the idea that it will be used for speaking primary data solely in help of distant administrative work.
However, the Meta-owned service was at no level authorized by the trust for processing data, and was used as such with out its data. On discovering the breach, NHS Lanarkshire self-reported the incident.
“Patient data is highly sensitive information that must be handled carefully and securely. When accessing healthcare and other vital services, people need to trust that their data is in safe hands. We appreciate that NHS Lanarkshire, like all healthcare providers, was under huge pressure during the pandemic, but there is no excuse for letting data protection standards slip,” stated data commissioner John Edwards.
“Every healthcare organisation should look at this case as a lesson learned and consider their own policies when it comes to both messaging apps and processing information about patients. We will be following up with NHS Lanarkshire to ensure that patient data is not compromised again.”
“Every healthcare organisation should look at this case as a lesson learned and consider their own policies when it comes to both messaging apps and processing information about patients” John Edwards, ICO
In a press release circulated to media, a spokesperson for the trust stated: “We have obtained a proper reprimand from the ICO for using WhatsApp by considered one of our neighborhood groups to alternate private patient data throughout the pandemic.
“We recognise that the staff took this strategy as an alternative to communications that might have usually taken place in both a scientific or workplace setting however was not potential at the moment as a consequence of Covid restrictions. However, using WhatsApp was by no means meant for processing patient data.
“We provide our honest apologies to anybody whose private particulars had been shared by means of this group.
“We have already taken a number of steps including looking at alternative apps that can be introduced for the transfer and storage of images and videos within a care setting. This is being taken forward while considering the risks relating to the storage of any personal data,” they added.
The ICO stated its investigation had concluded that NHS Lanarkshire lacked acceptable insurance policies, steering and processes in place when WhatsApp was made accessible to obtain, and had not carried out an assessment of the risks associated to sharing patient data utilizing such a service.
Speaking to the BBC’s Good Morning Scotland, Edwards stated the investigation had discovered no suggestion that the data was ever misused or that anyone acted improperly with it.
The ICO’s formal reprimand comes rather than a fine, which the regulator is making an attempt to keep away from imposing on public sector our bodies on the idea that such actions finally push the punishment onto the taxpayer. This coverage has been in place for simply over a yr, though it has attracted criticism from some quarters.
The trust has, nonetheless, been suggested to think about implementing a safe scientific picture switch system; to think about dangers and assess and mitigate them previous to deploying new apps; to make sure staff are explicitly knowledgeable of their data safety obligations, together with their accountability to report a breach; and to overview all organisational insurance policies and procedures related to the incident, and amend them if essential. The ICO stated it will verify on progress in the direction of these objectives in six months.
Clear coaching problem
Richard Forrest, authorized director at regulation agency Hayes Connor, a data breach specialist, stated the breach sadly mirrored a lack of knowledge and consciousness of data safety points – notably the UK General Data Protection Regulation (GDPR) – within the well being and social care sector.
“To remedy the eroding public trust in NHS services, the NHS must reassure the public that there will be substantial reform in data practices, and that extra care will be taken when handling confidential information” Richard Forrest, Hayes Connor
A commissioned examine for the agency, carried out in early 2020, discovered that typically one in 5 workplace employees had obtained no coaching on easy methods to deal with firm data, GDPR, or cyber safety, and with data breaches attributable to human error persevering with to develop in quantity, he stated the general image was prone to worsen.
“As data breach solicitors, we see the majority of cases are in fact down to human error, causing untold impact and emotional trauma. We have worked on numerous human error healthcare data breach cases, and can attest to the very real threat they pose to both the NHS and the victims,” stated Forrest.
“The variety of situations within the NHS in 2023 alone demonstrates a systemic problem of lack of coaching and consciousness that merely should be addressed, not solely to save lots of the victims, however to additionally mitigate the continued harm that is having on the popularity of our NHS.
“To remedy the eroding public trust in NHS services, the NHS must reassure the public that there will be substantial reform in data practices, and that extra care will be taken when handling confidential information. It is clear that staff training should be at the forefront of these reforms,” he added.
