Abandoned Records Result in £100,000 Fine

Patient Documents Left in Closed Facility
Abandoned Records Result in £100,000 Fine

The UK's Information Commissioner's Office has fined the Stockport Primary Care Trust £100,000 after it left boxes of patient records at a shuttered location.

See Also: The Global State of Online Digital Trust

The new owner of the location previously operated by the trust reported to the ICO that boxes of documents containing personal information had been left behind, according to an ICO statement.

The boxes contained 1,000 documents, including work diaries, letters, referral forms and patient records containing personal information, the ICO said. Some documents contained particularly sensitive data on 200 patients, including details of miscarriages, child protection issues and a police report relating to the death of a child.

The ICO said its investigation revealed two earlier security incidents where sensitive data had been left behind in secure buildings owned by the trust.

"It's crucial that organizations don't take their eye off the ball when moving premises," said David Smith, deputy commissioner and director of data protection at the ICO. "The highly sensitive nature of the documents left behind makes this mistake inexcusable, and there can be no doubt that the penalty we've served is both necessary and appropriate."

Stockport Primary Care Trust was dissolved on March 31, 2013, and its legal responsibilities were passed to the NHS Commissioning Board, which is now required to pay the penalty by July 3, or serve a notice of appeal by July 2.

View the monetary penalty notice.

5 Tips When Moving

The ICO offers five tips for healthcare organizations that are moving locations:

  1. Personal information is at particular risk when moving; make security a priority.
  2. Don't assume anything; make sure it's clear who's responsible for what during the move.
  3. Ensure records and equipment containing personal information are moved securely.
  4. Dispose of files or computer hardware with care.
  5. Put a policy in place to make sure that security incidents are reported and acted upon in order to learn from mistakes.

About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.eu, you agree to our use of cookies.