All healthcare organisations must keep patient data secure, watchdog says

All healthcare organisations have been reminded about the importance of keeping patient data secure after an alleged attempt to access the Princess of Wales’s medical records, the data protection regulator has said.

Organisations have been told staff must be thoroughly trained and should be clear about the data breach reporting process, and appropriate technical measures such as passwords and access controls should be used so personal information can only be seen by people who need to use it.

The reminder comes from the Information Commissioner’s Office (ICO) which states that over 1,500 incidents are reported by the health sector each year.

As new technologies are increasingly used in the healthcare system, it is important that data is treated with the “utmost care and security”, said Stephen Bonner, the ICO’s deputy commissioner for regulatory supervision.

He added: “Every patient, no matter who they are, has the right to privacy.”

The move by the ICO comes after claims made by The Mirror newspaper that up to three people could have been involved in trying to access Kate’s private medical records following her abdominal surgery in January.

Speculation and conspiracy theories about the princess’s whereabouts and status of her health have been rife on social media.

The King, who has cancer, was treated for an enlarged prostate at the private London Clinic where Kate received her medical treatment, but the PA news agency understands Charles’s medical records were not accessed in the alleged breach.

Mr Bonner said: “We know people across the UK may be questioning how safe and secure medical records may be following reports of a data breach at the London Clinic.

“When we’re in the care of healthcare providers, we need to be able to freely share our personal and sensitive data – it’s often essential to ensure we receive the care and support we need. As new technologies come into use in our healthcare system, our data will become even more important.

“This underlines the need to ensure this information is treated with the utmost care and security.”

Enforcement action was taken against several healthcare organisations during the past year, including NHS Fife after a person posing as a nurse entered a hospital ward, and due to a lack of identification checks and formal processes helped staff with a patient and then made off with personal information from 14 patients.

Police were unable to identify the person or recover the lost paperwork as their progress has been hindered by the CCTV having being accidentally switched off by a staff member.

The ICO’s investigation found NHS Fife failed to have appropriate security measures for personal information, as well as low staff training rates.

New measures such as a system for documents containing patient data to be signed in and out and updated identification processes have been introduced.