ICO fires warning on fax use after fining NHS trust £55,000

The Information Commissioner’s Office has issued a warning to organisations that use fax machines to send out sensitive information after the watchdog fined an NHS trust £55,000.

In August and September 2011, the Single Point of Access Team at North Staffordshire Combined Healthcare NHS Trust sent three faxes from a machine designated as a safe haven (only staff authorised to see the information had access through a secure entry point).

The faxes were intended for the trust’s Wellbeing Centre. However, on each occasion – as a result of incorrect dialling – they were instead received by the member of the public.

The faxes contained confidential and highly sensitive information relating to three patients, including their names, addresses, medical histories, and details of their physical and mental health.

The ICO found that the Wellbeing Centre’s new fax number had not been pre-programmed into the Single Point of Access Team’s fax machine, even though members of the team regularly sent faxes to the Centre. As a result the fax number was inputted manually each time.

The fax number of the unintended recipient differed from the Centre’s number by just one digit. Staff at the Single Point of Access Team did not operate a ‘call ahead’ system which would have alerted the trust that the faxes had not been received by the Centre.

North Staffordshire had published a safe haven policy and best practice guidance. This included a requirement for staff to pre-programme the most frequently used numbers into safe haven fax machines and to operate a ‘call ahead’ system.

However, the Single Point of Access Team were not aware of these documents. They had also received no training on fax use.

The ICO said these shortcomings were exacerbated by a lack of effective management control.

ICO Enforcement Group Manager, Sally Anne Poole, said: “Let’s make no mistake, this breach was entirely avoidable. One phone call ahead to the trust’s Wellbeing Centre would have alerted its staff to the fact that the number they were entering was incorrect. This would have stopped highly sensitive information about the care of vulnerable people being sent to a member of the public on three separate occasions.

“This case should act as a warning to all organisations that routinely send out sensitive personal information by fax. Make sure you have appropriate procedures and controls in place, so that errors can be spotted before it is too late.”

Fiona Myers, chief executive of North Staffordshire Combined Healthcare NHS Trust said: “We take the security of the information we hold very seriously and accept the Information Commissioner’s Office (ICO) findings. We welcome the acknowledgement by the Information Commissioner that substantial remedial action has been taken by the Trust in regards to this matter following the breach in 2011, that there was a detailed audit report and that we have cooperated fully with the ICO throughout the process.
 
“We have in place systems and policies to safeguard the information we hold which we have strengthened to reduce the risk of such a breach occurring as a result of human error.”

Myers added: “To provide some context, there has been no previous similar security breach of information by the Trust in this regard and we took the matter seriously by voluntarily reporting the matter to the ICO to ensure that every effort was made to learn from the incident. We provide comprehensive training on information governance, which is part of our annual mandatory training programme and this has been refreshed.
 
“Moving forwards, to ensure all information is transmitted securely and that a similar incident could not occur, we no longer use fax machines to send patient identifiable information. This is now done using a secure GOLDFAX system, within strict guidelines.”

The ICO has published guidance on the secure use of fax machines. It can be viewed here.