NHS Lanarkshire has been issued a reprimand by the Information Commissioner’s Office (ICO) after 26 staff at the trust used a WhatsApp group to share patient data, including names, phone numbers and addresses, on over 500 occasions between April 2020 and April 2022.
Staff at the trust, which oversees three hospitals near Glasgow in the towns of Airdrie, East Kilbride and Wishaw, also used the app’s functionality to share images, videos and screenshots, some of which included clinical information.
At one point, a non-staff member was added to the group in error, potentially exposing data to an unauthorised individual.
During its investigation, the ICO discovered that WhatsApp had been made available to the trust’s staff during the Covid-stricken spring of 2020 on the basis that it would be used for communicating basic information only in support of remote administrative work.
However, the Meta-owned service was at no point approved by the trust for processing data, and was used as such without its knowledge. On discovering the breach, NHS Lanarkshire self-reported the incident.
“Patient data is highly sensitive information that must be handled carefully and securely. When accessing healthcare and other vital services, people need to trust that their data is in safe hands. We appreciate that NHS Lanarkshire, like all healthcare providers, was under huge pressure during the pandemic, but there is no excuse for letting data protection standards slip,” said information commissioner John Edwards.
“Every healthcare organisation should look at this case as a lesson learned and consider their own policies when it comes to both messaging apps and processing information about patients. We will be following up with NHS Lanarkshire to ensure that patient data is not compromised again.”
John Edwards, ICO
In a statement circulated to media, a spokesperson for the trust said: “We have received a formal reprimand from the ICO for the use of WhatsApp by one of our community teams to exchange personal patient data during the pandemic.
“We recognise that the team took this approach as a substitute for communications that would have normally taken place in either a clinical or office setting but was not possible at that time due to Covid restrictions. However, the use of WhatsApp was never intended for processing patient data.
“We offer our sincere apologies to anyone whose personal details were shared through this group.
“We have already taken a number of steps including looking at alternative apps that can be introduced for the transfer and storage of images and videos within a care setting. This is being taken forward while considering the risks relating to the storage of any personal data,” they added.
The ICO said its investigation had concluded that NHS Lanarkshire lacked appropriate policies, guidance and processes in place when WhatsApp was made available to download, and had not conducted an assessment of the risks related to sharing patient data using such a service.
Speaking to the BBC’s Good Morning Scotland, Edwards said the investigation had found no suggestion that the data was ever misused or that anybody acted improperly with it.
The ICO’s formal reprimand comes in place of a fine, which the regulator is trying to avoid imposing on public sector bodies on the basis that such actions ultimately push the punishment onto the taxpayer. This policy has been in place for just over a year, although it has attracted criticism from some quarters.
The trust has, however, been advised to consider implementing a secure clinical image transfer system; to consider risks and assess and mitigate them prior to deploying new apps; to ensure staff are explicitly informed of their data protection responsibilities, including their responsibility to report a breach; and to review all organisational policies and procedures relevant to the incident, and amend them if necessary. The ICO said it would check on progress towards these goals in six months.
Clear training issue
Richard Forrest, legal director at law firm Hayes Connor, a data breach specialist, said the breach unfortunately reflected a lack of understanding and awareness of data protection issues – particularly the UK General Data Protection Regulation (GDPR) – in the health and social care sector.
Richard Forrest, Hayes Connor
A commissioned study for the firm, conducted in early 2020, found that in general one in five office workers had received no training on how to handle company data, GDPR, or cyber security, and with data breaches attributable to human error continuing to grow in volume, he said the overall picture was likely to get worse.
“As data breach solicitors, we see the majority of cases are in fact down to human error, causing untold impact and emotional trauma. We have worked on numerous human error healthcare data breach cases, and can attest to the very real threat they pose to both the NHS and the victims,” said Forrest.
“The number of instances in the NHS in 2023 alone demonstrates a systemic issue of lack of training and awareness that simply must be addressed, not only to save the victims, but to also mitigate the continued damage this is having on the reputation of our NHS.
“To remedy the eroding public trust in NHS services, the NHS must reassure the public that there will be substantial reform in data practices, and that extra care will be taken when handling confidential information. It is clear that staff training should be at the forefront of these reforms,” he added.