A Costly Oversight: How Poor Processes Led to a Major GDPR Breach

Reprimand issued to Staines Health Group

This GDPR breach medical records case demonstrates why documented procedures are essential when handling insurance requestsThe reprimand relates to the unauthorised disclosure of 23 years of a patient’s medical records to their insurer when only 5 years had been requested. The ICO had to determine whether this constitutes a breach of the relevant data protection legislation.

The Law

Chapter II of the UK GDPR sets out the principles relating to the processing of personal data that controllers must comply with. Article 5(1) of the UK GDPR lists these principles. The principles relevant to this reprimand are as follows:

Background

Staines Health Group received a request from Vitality on behalf of the Data Subject asking for a copy of his medical records for certain dates within a 5 year period. The request also asked for the records to be sent to the Data Subject first to review before being sent on to Vitality.

Instead of sending the 5 years of records requested, on 29 May 2024, Staines Health Group sent 23 years directly to Vitality. On 4 July 2024, Staines Health Group received a letter from the Data Subject raising a concern in relation to the records that had been disclosed. The Data Subject argued that he had received a reduction in the payout of his claim as a result.

Staines Health Group did not report the breach to the ICO until 30 July 2024. The Data Subject also lodged a complaint with the ICO.

As part of their investigation, the ICO asked for information about Staines Health Group’s policies, procedures or guidance in place at the time in relation to handling medical record requests from insurance companies. They were informed that the member of staff responsible, had completed information governance training in March 2024 and insurance processing training in April 2022 but received no refresher or further training before the incident. There was also no written process in place for handling insurance requests, and staff had to rely upon the training that they had received at the start of their employment.

The Decision

Following investigation of the GDPR breach medical records incident, the ICO concluded that Staines Health Group breached Articles 5(1)(c), 5(1)(f) and 32(1) as they had failed to implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk. Specifically, they did not have any documented policies, procedures or guidance in place to assist staff when processing insurance requests, provide refresher training to staff, review and update the information governance policy.

Following the breach, Staines Health Group completed a significant event report which aimed to establish the root cause of the breach and what lessons could be learnt from it. A written policy document was drafted that staff could follow when handling requests. They also added a new column into the working spreadsheet that noted where patients required sight of their medical records before they were sent to the insurance company. Additional training was also provided to staff.

The ICO therefore found that by the date of the reprimand, Staines Health Group had implemented appropriate measures. The infringements had therefore been remedied.

Comment

This GDPR breach medical records case highlights the importance of knowing the scope of a request and having the appropriate processes and procedures in place to ensure that requests are dealt with properly.