[BreachExchange] London Hospital fined £200,000 over fertility data breach

Audrey McNeil audrey at riskbasedsecurity.com
Tue Feb 28 18:55:52 EST 2017


https://www.digitalhealth.net/2017/02/london-hospital-fined-
over-fertility-data/

A London private hospital that made patients’ confidential fertility data
freely searchable online has been fined £200,000.

The Information Commissioner’s Office (ICO) has fined private health
company HCA International after finding one its private hospitals, Lister
Hospital, had not kept patients’ fertility data secure.

An investigation found that the hospital was sending unencrypted audio
recordings of  information discussed during private IVF consultations to an
Indian transcribing company, which then sent the transcript back to the
hospital.

However the Indian company stored both the recordings and the transcripts
on an unsecure server, allowing the confidential files to be searched by
anyone on the internet.

A Lister Hospital patient uncovered the breach in April 2015 when they
found a confidential IVF recording online. HCA had been using the
transcribing companies since 2009.

ICO head of enforcement, Steve Eckersley, said HCA had broken the law and
betrayed its patients’ trust.

“These people were discussing intimate details about fertility and
treatment options and certainly didn’t expect this information to be placed
online.”

“The hospital had a duty to keep the information secure. Once information
is online it can be accessed by anyone and could have caused even more
distress to people who were already going through a difficult time.”

Eckersley said the company had appropriate protections in other parts of
its business and the breach could have been avoided if it had simply
checked its contractor’s storage methods.

HCA International has 27 hospitals and medical centres in the United
Kingdom, most of them based in London, and has been involved in several
joint ventures with the NHS.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170228/1c1ad171/attachment.html>


More information about the BreachExchange mailing list