ICO issues first fine to NHS following data breach

Today the Information Commissioner’s Office announced that a Welsh health board had become the first NHS organisation to be issued with a monetary fine for a breach of the Data Protection Act.

From the ICO’s press release:

The Aneurin Bevan Health Board (ABHB) has been issued with a penalty of £70,000 after a sensitive report – containing explicit details relating to a patient’s health – was sent to the wrong person.

The error occurred when a consultant emailed a letter to a secretary for formatting, but did not include enough information for the secretary to identify the correct patient. The doctor also misspelt the name of the patient at one point, which led to the report being sent to a former patient with a very similar name in March last year.

It seems this was a fairly serious breach of the Act and the information was almost certainly within the “sensitive personal data” category.

It also seems that this was another example of an easily preventable accident which was the result of a woeful lack of proper awareness training. The ICO’s press release continues with: (emphasis ours)

The ICO’s investigation found that neither member of staff had received data protection training and that the organisation didn’t have adequate checks in place to ensure that personal information was sent to the correct person. These poor practices were also used by other clinical and secretarial staff across the organisation.

As a result of this breach, the ABHB have signed an undertaking agreeing to implement the necessary improvements and provide proper training to staff – however this is all too late to avoid the additional costs of the monetary penalty.

While security training does not prevent every breach, and may not have prevented this accident taking place, the reality is that if the staff had been properly trained it is likely that the ICO would have reduced or waived the monetary fine. If nothing else, a good security education program would have saved the ABHB at least £70,000.

Frequently organisations mistakenly believe security training is expensive, or a waste of money. The fact is following on from a breach the security training has to be funded and there is a good chance that a fine has to be paid. This is a very poor risk management option.

A good security awareness package enhances your business’ ability to perform in a contested market, it helps protect your assets and prevent losses of physical material, intellectual property and / or sensitive data (personal or otherwise). Properly driven, security awareness training improves your organisations security culture and can enhance staff morale when they feel they are being properly protected.

If you fail to provide this, you are not saving your organisation money – you are just delaying the time you have to pay it and risking serious reputational damage in the process.

If you would like to discuss security training and awareness packages, or find out how Halkyn Consulting can assist you with the design & delivery of this to your staff, then get in touch with our security team, we will be happy to help you.

Taz Wake - Halkyn Security

Certified Information Systems Security Professional with over 19 years experience providing in-depth security risk management advice to government and private sector organisations. Experienced in assessing risks, and producing mitigation plans, worldwide in both peaceful areas and war zones. Additionally, direct experience carrying out investigations into security lapses, producing evidential standard reports and conducting detailed interviews to ascertain the details of the incident. Has a detailed understanding of the Security Policy Framework (SPF) and JSP440, as well as in depth expertise in producing cost-effective solutions in accordance with legislative and regulatory guidelines. Experienced in accrediting establishments and networks as well as project managing the development of secure, compliant, workable business processes.