Digital Transformation

NHS hit by its first data breach fine

First NHS organisation handed fine for insufficient data protection system

A Welsh health board has been fined £70,000 for a serious data breach that saw sensitive information regarding a patient’s health sent to the wrong person.

The Aneurin Bevan Health Board (ABHB) is the first NHS organisation to incur such punishment, and the Information Commissioner’s Office (ICO) has suggested that others take note of the need for adequate data security in a bid to avoid facing similar action.

"Organisations across the health service must stand up and take notice of this decision if they want to avoid future enforcement action from the ICO," said Stephen Eckersley, head of enforcement for the ICO.

According to the ICO’s findings, two members of staff were involved in the information breach, and neither of them had received data protection training – a factor that has now proved costly following the investigation.

With the organisation also found to be lacking the necessary checks and balances to ensure personal information is sent to the right patients, it appears far more could have been done to prevent the lapse in security.

Considering how the rise of the internet has led to an increased focus on the need for sufficient systems that protect people’s personal records, events such as these highlight the potential pitfalls of failing to do so, and one expert believes a proper security plan is essential to avoid similar breaches occurring.

"Developing a security plan to ensure your personal details do not end up in the wrong hands is imperative," said Tony Neate, chief executive officer at Get Safe Online.

With records storage and secure online backup services able to provide facilities that improve a company’s data protection strategy, more organisations may consider implementing the measures as a means to reduce the risk of accidentally exposing sensitive information.

Indeed, given the threat of fines, reputational damage and broken business continuity, it appears adequate security systems for safeguarding data will continue to become ever more important.