Digital Transformation

Belfast Trust fined £225,000 for leaving patient records exposed

Staff and patient records left in disused buildings without sufficient protection

The Belfast Health and Social Care (BHSC) Trust has been issued with a £225,000 fine by the Information Commissioner’s Office (ICO) for a "serious breach of the Data Protection Act" which saw thousands of records regarding patients and staff exposed to potential thieves.

The issue is said to date back to 2007, when six local Trusts were merged to form the BHSC Trust in a move which saw the newly established body take on the management of 50 disused sites – and it was in a number of these buildings that sensitive details of staff and patients were left unsecured.

With the sites not being properly protected and the information that they were storing having not been effectively disposed of, trespassers are said to have gained access to the Belvoir Park Hospital and taken photos of patient records before proceeding to post them online.

"The severity of this penalty reflects the fact that this case involved the confidential and sensitive personal data of thousands of patients and staff being compromised," said Ken Macdonald, the ICO’s assistant commissioner for Northern Ireland.

"The Trust failed to take appropriate action to keep the information secure, leaving sensitive information at a hospital site that was clearly no longer fit for purpose."

Considering that everything from the medical records and lab results of patients to unopened payslips intended for staff were exposed due to the Trust’s failure to take the necessary data protection measures, thousands of people could have been at risk had the records fallen into the wrong hands.

Indeed, the fine is a result of the Trust’s inability to neither effectively protect nor dispose of the files that they had stored, and taking steps such as scanning documents into a secure online system before having them destroyed could have been one way to avoid the breach.