Private health firm fined £200,000 after patients’ confidential conversations revealed online
The Information Commissioner’s Office (ICO) has fined a private health company, HCA International Ltd (‘HCA’) £200,000 for failing to keep patients’ personal information secure.
Records available online
The fine was issued as a result of an ICO investigation into the way HCA was transferring, transcribing and storing records of appointments. The issue was uncovered when it was found that transcripts of interviews recorded with patients could be freely accessed by searching online.
The investigation revealed HCA had been routinely sending unencrypted audio records of the interviews by email to another company in India. Details of private conversations between a doctor and various patients were transcribed and then sent back.
The ICO found the Indian company stored audio files and transcripts using an unsecure server.
A breach of security & trust
The reputation of the medical profession is built on trust. The ICO concluded HCA had not only broken the law, it has betrayed the trust of its patients.
Due to the contractual arrangements made between them, the Indian company was acting as a ‘data processor’ to HCA, which was a ‘data controller’.Under the Data Protection Act (‘DPA’), a data controller has an obligation to take appropriate technical and organisational data security measures.
The ICO found that HCA:
Choose carefully who you do business with
In our opinion this fine could have been avoided if HCA had exercised more care about security in the way it transferred data, had a contract with the Indian company that addressed data security and had made checks to find out about the security arrangements of the Indian company.
These omissions when making arrangements with other businesses are common errors which many organisations make, placing both themselves and those that they serve at risk.
See the DataHelp page for more information about data protection.