, , ,

What can happen when medical information falls into the wrong hands?

data breach solicitors

The world is rapidly going digital. And, this online information revolution has seen most organisations move away from paper record keeping. However, over the last few years, such information has proved a lucrative target for hackers.

But, when it comes to information falling into the wrong hands, in most cases, it is human error rather than cybercrime that is the biggest cause of data breaches. And, these errors are just as likely to happen offline.

In a recent case, our solicitors saw the impact of what can happen when sensitive medical information was sent to the wrong address by mistake.

What happened in this case?

In this data breach, HM Courts & Tribunals Service (HMCTS) sent a copy of a confidential medical report to a person’s former partner by mistake. The report from a doctor said that the man (our client) was depressed and suicidal.

Once our client’s ex read the report – a document that she should never have had access to – she used its contents in an application to reduce his contact with his children. This application was successful (the court was not aware how this information was obtained).

As a direct response of the admin error, this data breach has had a devastating impact on our client. Having reduced contact with his children has caused him considerable distress and upset as well as aggravating his mental health problems.  So, in this case, the consequences have been particularly severe.

What can you do to stop this from happening to you?

When handing over your postal address to an organisation, it is vital that you check that these details have been taken down correctly.  You are completely within your rights to ask for a copy of the data an organisation holds about you. This is called making a subject access request (SAR). This won’t guarantee that an error doesn’t result in information going to the wrong address, but it is a good safety precaution to take. Find out more about making a SAR.

You should also ask any organisation that has access to your medical records about what type of information they share and with who.

You can also choose not to have your medical information shared or used for any purpose beyond providing your own treatment or care. This choice is known as a national data opt-out. Find out more about the national data opt-out.

Of course, there may be instances (as in this case) where you need or want to share this information. Likewise, your confidential patient information may still be used when there is a legal requirement to provide it.

Lessons learned

The duty of confidentiality goes beyond undertaking not to divulge confidential information; it includes a responsibility to make sure that written patient information is kept securely.

If you are an employee of a medical organisation or a government agency or department and you want to make sure that you don’t make a similar mistake, talk to your employer about any processes that can be put in place to make sure that the addresses of your customers are correct. This is especially important if you deal with sensitive information such as medical reports. Such steps could include things like additional data protection training, and checks and balances on systems generating correspondence.

For more advice on how to keep your data safe, follow Hayes Connor on Twitter or give us a like on Facebook. Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you to recover any losses or give us a call on 0151 363 5895 to discuss your case in more depth.