How to handle a data breach of confidential patient information

Data security incidents in healthcare have increased, so it's important to know what action to take to address any loss of confidential information.

Under data protection law, healthcare organisations are responsible for patient data, and are legally obliged to store it securely and protect it from unauthorised or unlawful processing.

Data security incidents are relatively common within healthcare settings. The most recent data security incident trends published by the Information Commissioner's Office (ICO) show that between April 2021 and June 2021 there were there were 607 data security incidents in the health sector - up from 420 the previous quarter. The ease and speed in which data can be shared, along with the current surge in clinical admin being experienced, may partly be behind the increase in data loss incidents.

Recent trends

According to the ICO, the commonest reasons for data to fall into the wrong hands were that it was lost or stolen from an insecure location (112 incidents) or sent to the incorrect recipient (67 by email and 56 by post or fax). In 73 incidents there was unauthorised access to the system (65 non-cyber and eight via cyber methods). In 19 cases there was verbal disclosure. In eight cases, failing to use BCC in an email meant email addresses were visible to all recipients.

These figures help to illustrate the recurring themes in data incidents and areas where your organisation should focus their efforts on reducing data loss - for example, double checking recipients contact details, not discussing patient information verbally in a public place, and exercising caution when redacting documents and disposing of hardware or paperwork.

Such breaches not only are distressing for patients, but have wider implications such as reputational damage to the organisation involved and significant financial penalties.

When faced with this type of personal data breach it is important to address it appropriately.

Reporting a data breach

A personal data breach is defined by the ICO as, "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed."

All health service organisations in England must use the Data Security and Protection Incident Reporting tool. This has been designed to identify those breaches that meet the threshold for notification. The reporting tool shares relevant incidents with NHS Digital, the Department of Health, the ICO and other regulators. Practices in Scotland, Wales and Northern Ireland must report a data breach using the ICO breach reporting tool if it is likely to result in a 'risk to the rights and freedoms of individuals'.

If there is an urgent security related incident you can contact the Data Security Centre helpdesk on 0300 303 5333 or Local incident management must still be carried out in the normal way.

These reports must be made without undue delay, and not later than 72 hours after you become aware of the breach. The notification must include:

  • the nature of personal data breach including the categories and approximate number of individuals and personal data records concerned
  • the name and contact details of data protection officer or other contact point
  • a description of likely consequences of personal data breach
  • a description of measures taken or proposed to deal with the personal data breach, including measures to mitigate possible adverse effects.

Informing patients

The General Data Protection Regulation (GDPR) states that you should inform the data subject if a breach is likely to result in a high risk to their rights and freedoms, such as if the data refers to a person's health. This is a higher level of risk than under the ICO notification procedures. An accidental disclosure of patient records or sensitive medical information is likely to be of high risk to the rights and freedoms of patients, requiring you to inform the data subject.

This is because of the significant impact on those affected due to the sensitivity of the data and the potential for confidential medical details to become known to others.

Failure to notify a breach appropriately can result in an administrative fine which could be up to €10 million or 2% of your global turnover.

Make sure all staff are aware of what constitutes a data breach, and that it is not just loss of personal data. Have robust procedures in place to detect, investigate and report breaches.

Learning from a data breach

Any breach of patient data would usually be discussed under your organisation's significant event audit (SEA) process to identify learning points. There may be systems or human factors that have contributed to the incident and being able to inform the patient that it has been internally reviewed may reassure them that they do not need to escalate matters. Depending on the underlying reason, there may be further staff training or system changes required.

Contact your medical defence organisation for further advice and support on dealing with a data breach.

Case example

This anonymised example is based on MDU cases.

A GP emailed a letter intended for one patient to another with a similar name. The letter, which a patient had requested for ongoing custody proceedings, outlined mental health history, medication history and details relating to drug and alcohol misuse.

The practice was contacted by the second patient who was shocked to receive a letter containing such sensitive details, realising that it did not relate to her.

The practice apologised to the second patient for this data breach, ensuring the letter was deleted. A senior GP also rang the patient who was the subject of the letter to explain what had happened. The practice provided a formal written summary of the situation to the patient, apologising and providing details of actions taken. They offered a meeting and gave details of how to complain if they remain dissatisfied. This is in line with GMC guidance, to be open and honest with patients when things go wrong. The practice also reported the incident using the Data Security and Protection Incident Reporting tool.

A version of this article first appeared in GP online

This page was correct at publication on 11/08/2021. Any guidance is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.