GP surgery hit with £40k penalty after data breach

A GP practice has been hit with a £40,000 monetary penalty notice by the Information Commissioner’s Office after it revealed confidential details about a woman and her family to her estranged ex-partner.

The ICO said Regal Chambers, in Hitchin, Hertfordshire, gave out the information despite express warnings from the woman that staff should take particular care to protect her details.

The data breach followed a subject access request by the ex-partner for the medical records of the former couple’s son.

Staff at Regal Chambers responded in July 2014 with 62 pages of information that included the woman’s contact details as well as those of her parents and an older child the man was not related to.

The person responsible for handling the request had advised the child’s GP about it, but in the absence of a sufficient written procedure, went ahead and released everything.

The ICO said its investigation found staff did not receive adequate guidance or supervision about what could be disclosed or should be withheld.

The watchdog concluded that the GP practice had insufficient systems in place to guard against releasing unauthorised personal data to people who were not entitled to see it. This was a breach of the Data Protection Act.

The ICO said it had issued a fine of £40,000 because the practice’s partners would be individually liable but because of the serious nature of the breach, most organisations would have expected to receive a much larger fine.

Steve Eckersley, the ICO’s Head of Enforcement, said: “Most people would be horrified to think the information they entrust to their GP was being treated with anything less than the utmost care. In this case a patient reinforced this, however her pleas went unheeded.

“When that information could have devastating consequences if released incorrectly, it is even more important that measures are robust.

"There is no doubt that releasing this information would have caused great distress to the woman, her children and the rest of her family.”

Eckersley added: “In failing to ensure staff were properly equipped to safeguard against unauthorised disclosures, this medical practice placed a member of its team in the firing line.

“It was unfair to expect this person to deal with the potentially devastating fall-out created by sharing personal data wrongly. GPs could have protected staff by providing proper support, training and guidance. They did not do this.”