A private health company has been fined £200,000 for failing to keep fertility patients’ personal information secure.
HCA International Ltd owns a number of private hospitals including the Lister Hospital in London. The hospital provides a range of treatments to private clients including IVF treatment.
Handwritten notes made by doctors during consultations with patients were audio recorded by the hospital and routinely sent to a company in India for transcription into written records and returned to the hospital. However a patient found that during March/April 2015 transcripts could be accessed via an internet search engine. The patient informed the hospital.
Outsourcing transcription services is not a new phenomena nor something confined to only certain types of businesses. So what went wrong with the procedures used by HCA?
Where personal information (and in this case highly sensitive personal information) is used outwith the office non-encryption of that information will bring the wrath of the Information Commissioner down upon your head. This has been emphasized many times by the Commissioner and this was one of the series of errors made by HCA. Since 2009 the hospital routinely sent unencrypted audio recordings by e-mail to India for transcription. The transcription company met the Data Protection Act’s definition as a data processor of the data controller – HCA.
The seventh data protection principle requires appropriate technical measures to be in place by a data controller to act against unauthorised or unlawful processing of personal information. If a processor is to be used one offering sufficient security measures should be chosen and reasonable steps taken by the controller to ensure that those security measures are in fact being used.
In this case the Indian company was using an insecure server to store the audio files and transcripts. HCA was unaware of this and failed to monitor the security measures being used by the Indian company.
Further, the use of processors requires a written contract which includes requiring the processor to comply with obligations equivalent to those imposed on the data controller by the seventh principle. HCA failed to meet these requirements.
Matters were made worse given that HCA had policies in its UK hospitals requiring emails containing personal information to be encrypted and that its transcription companies use secure servers.
As HCA had been acting in this manner since 2009 it could not be considered a one-off event.
Head of ICO enforcement, Steve Eckersley said :”What makes this case even worse is that we know the company is aware of its data protection obligations and already has appropriate safeguards in place in other areas of its business. The situation could have been avoided entirely if HCA International had taken the time to check up on the methods used by the contract company”.
One wonders if the fine may have been higher if HCA had not voluntarily reported the breach to the Commissioner, been fully co-operative in the investigation and taken substantial remedial action. The damage done to its reputation is probably the bitterest pill to swallow.