A controversial Welsh health board which was fined for releasing sensitive data to the wrong person told an angry complainant it “cannot find” a Freedom Of Information Act (FOIA) request for more details about unauthorised access to patient’s records, The Eye can reveal.
The complaint is still outstanding.
Four years ago the Aneurin Bevan university Health Board (ABHB) became the first NHS body to be fined for breaching the Data Protection Act (DPA).
It had given important data about a patient to the wrong person and was fined £70,000.
A doctor misspelt a name and did not give enough detail about a patient to his secretary, meaning a report was sent to someone with a similar name.
The Information Commissioner’s Office (ICO) said the report contained explicit details relating to the patient’s health, and represented a serious breach of the DPA.
This time a request for information was sent in August about “access of patient records by rogue staff” in papers we have seen.
But the following month the complainant was told by ABHB: “unfortunately we cannot find any evidence of having received your original request”.
The same day the original questions were re-sent, including: “please provide the computer system you use to flag up details of potential unauthorised accesses”.
On the ‘What Do They Know?’ website it states: “Response to this request is long overdue.”
By law there are 20 working days to respond to an FOIA request.
ABHB was established in 2009 and covers Blaenau Gwent, Caerphilly, Monmouthshire, Newport, Torfaen and South Powys.
It employs over 13,000 staff, two thirds of whom are involved in direct patient care.
But clearly care of patient records has not been paramount.
The ICO said in April 2012 the DPA error at ABHB occurred when the patient’s consultant emailed a letter to a secretary but did not provide enough information for the secretary to be able to identify the correct person.
The mistake was compounded by the doctor misspelling the patient’s name at one point, which resulted in the report being sent to a former patient with a very similar name in March of the previous year.
An investigation by the ICO, now led by Elizabeth Denham, found that neither member of staff had received training in data protection and there were inadequate checks in place within the board to ensure personal information was only sent to the correct recipient.
These poor practices were also used by other clinical and secretarial staff across the whole organisation.
It seems there are poor practices too in answering FOIA requests about how they deal with sensitive patient details now.