ICO hits NHS board with £70,000 fine
First penalty to be issued against an NHS organisation.
The Information Commissioner's Office (ICO) has issued its first monetary penalty against an NHS organisation, which sent sensitive patient details to the wrong person.
The Aneurin Bevan Health Board (ABHB) in Wales has been ordered to cough up 70,000 for the mistake, which is understood to have taken place in March 2011.
The NHS holds extremely sensitive information. The damage and distress caused by the loss of a patient's medical record is obvious.
In a statement, the ICO said the data breach had been blamed on a consultant who had provided insufficient details about a patient, which resulted in them being incorrectly identified.
As a result, a report into the patient's health was sent out to a patient with a similar name.
Following an investigation by the ICO, it was concluded the consultant had received insufficient training about data protection and that inadequate checks were in place to safeguard patients' personal information.
Stephen Eckersley, head of enforcement at the ICO, said, as well as a financial penalty, ABHB had also signed an undertaking to address the data protection watchdog's concerns.
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
"Aneurin Bevan Health Board failed to have suitable checks in place to keep the sensitive information they handled secure," he said.
"This case could have been extremely distressing to the individual and their family and may have been prevented if the information had been checked prior to it being sent."
As part of ABHB's undertaking, all staff will be trained in and made aware of its policies on data protection.
New checks will also be introduced to tighten up patient identification procedures and regular monitoring of its data protection polices will take place.
News of the fine comes less than a year after the ICO rapped the NHS for not making enough of an effort to safeguard patients' data.
Caroline Donnelly was the news and analysis editor of IT Pro. Previously, she worked as a reporter at several B2B publications, including UK channel magazine CRN, and as features writer for local weekly newspaper, The Slough and Windsor Observer. She studied Medical Biochemistry at the University of Leicester and completed a Postgraduate Diploma in Magazine Journalism at PMA Training in 2006.
-
ITPro is 20!We take a look back on the past two decades since ITPro launched...
-
Cyber experts issue alert after two ransomware groups team up on ‘unprecedented’ threat campaignNews The tie-up includes a new model of industrialized ransomware deployment that significantly lowers the barrier to entry for cyber crime
-
NHS supplier DXS International confirms cyber attack – here’s what we know so farNews The NHS supplier says front-line clinical services are unaffected
-
LastPass hit with ICO fine after 2022 data breach exposed 1.6 million users – here’s how the incident unfoldedNews The impact of the LastPass breach was felt by customers as late as December 2024
-
23andMe 'failed to take basic steps' to safeguard customer dataNews The ICO has strong criticism for the way the genetic testing company responded to a 2023 breach.
-
Two more NHS Trusts have been hit with cyber attacks – here’s what we know so farNews A flaw in a third-party device management tool appears to be the source of the incident
-
NHS England launches cyber charter to shore up vendor security practicesNews Voluntary charter follows a series of high-profile ransomware attacks
-
NHS supplier hit with £3m fine for security failings that led to attackNews Advanced Computer Software Group lacked MFA, comprehensive vulnerability scanning and proper patch management
-
Cyber attack delayed cancer treatment at NHS hospitalNews A cyber attack at Wirral University Teaching Hospital in 2024 delayed critical cancer treatment for patients, documents show.
-
Alder Hey Children’s Hospital confirms hackers gained access to patient data through digital gateway serviceNews Europe’s busiest children’s hospital confirmed attackers were able to steal data from a compromised digital gateway service