Information Governance Incidents

Contents

Introduction

Content of the report

Next report

Closed level 2 incidents reported during 1 July to 30 September 2015

Appendix A

Incidents closed using the ‘auto closure’ facility

Introduction

This is the fourth published report of closed level 2 Information Governance Serious Incidents Requiring Investigation (IG SIRIs) recorded on the IG Toolkit Incident Reporting Tool. It covers IG SIRI level 2 incidents closed during the period of 1July to 30September 2015, following investigation by the local organisation(s) concerned.

Content of the report

The report consists of 57 closed incidents reported to the Information Commissioner’s Office (ICO), Department of Health (DH) and NHS Englandby Health or Adult Social Care organisations or suppliers - as advised within the IG SIRI Guidanceissued 29 May 2015.

The report contains the organisation name, date the incident was closed, scale (e.g. the number of data subjects affectedpresented as a range), a description of the incident and data involved. All information displayed below is as reported by the organisation(s) concerned. Where necessary, personal information included within the incidents has been redacted.

An autoclosure feature introduced in June 2015 closes all open incidents that have not been updated by the organisation for 90 days[1]. In Appendix A are 95 incidents whichhave been auto-closed by the system.

Please note

A ‘closed’ incident means that the incident has been investigated by the local organisation and no further action is required unless the ICO makes a request.
Closed incidents may still be under review by the ICO and any actions taken will be published on the ICO website.
This report does not include level 2 incidents which are still marked as open and therefore are still under investigation by the local organisation.
Any near misses, Level 0 and 1 incidents voluntarily reported by organisations are also excluded as these incidents are not currently being monitored by NHS Digital but are useful for gathering intelligence, analysing trends and learning from previous occurrences. Details of such incidents are held by the local organisations.

Next report

The next closed level 2 IG SIRI report will cover the period 1 October to 31December 2015.

Information Governance Incidents

Closed level 2 incidentsreported during 1 July to 30September 2015

ID / Organisation Name / Date of Closure / Volume / Details of Incident / Data
IGI/4206 / NORTHAMPTON GENERAL HOSPITAL NHS TRUST / 29-Sep-15 / 9 / A list of 9 patients - seven including clinical data - found in the on-site library (provided by another NHS organisation).
Document found and reported to an email account that was not monitored on a daily basis. The document was recovered from the email account four days after it was reported and the source was identified as A&E (all noted patients presented at A&E). The document is a paper with 7 patient addressographs and a further 2 annotated patient names. The 7 labelled patients contained patient identifiable data and presenting complaint. / The 7 labelled patient’s details include hospital and NHS numbers, name DOB gender address and GP details. The annotations include presenting complaint.
The 2 handwritten patients were name only.
IGI/4215 / HINCHINGBROOKE HEALTH CARE NHS TRUST / 15-Sep-15 / 15 / A member of staff found the handover sheet on the ground en route to the accommodation blocks. There are15 patients listed on a handover sheet, some hand written notes. Patient details include name, DOB, Hospital No, presenting symptoms and additional mainly clinical information not easily deciphered by the untrained eye. Member of staff raised an internal incident report. / 15 patients listed on a handover sheet, some hand written notes. Patient details include Name, DOB, Hospital No, presenting symptoms and the rest of the information is mainly clinical information not easily deciphered by the untrained eye.
IGI/4196 / UNIVERSITY HOSPITALS OF MORECAMBE BAY NHS TRUST / 17-Sep-15 / 28 / GP reports relating to Breast Screening attendance/non-attendance/Routine recall results which contained patient identifiable details of 28 women were sent to 1 of the 28 patients in error - instead of being sent to the GP Practice they were registered with. The incident was identified, when the patient in receipt of the reports handed them into the GP Practice who should have received them. Breast screening office staffs were informed by the practice of the incident. / Breast screening GP reports detailing a patient’s attendance/non-attendance for patients who require no further investigations. The reports include patient name, screening reference number, address, date of birth, registered GP, national insurance number, telephone, details of their screening status (screened or not screened), breast screening results (routine recall (no significant abnormality) or will be invited for further attention
IGI/4201 / Norfolk Community Health and Care NHS Trust / 14-Sep-15 / 11 / A community nurse left a daily diary sheet on the passenger seat of her car in error whilst she undertook a domiciliary visit. The daily diary sheet contained the demographic details for eleven patients. In addition clinical diagnosis and reasons for visiting were completed for nine of the eleven patients.
The community nurse was unsure of the area and could not locate the house she needed and so she parked her car and asked for directions. A member of the public showed the nurse where the house was, consequently she did not return to her car and therefore did not realise she had left the diary sheet on the car seat. The breach was brought to our attention by a member of the public who contacted the Trust to report it. / The data on the diary sheet was name, address, telephone number for eleven patients and clinical diagnosis and reasons for visiting were completed for nine of the eleven patients on the list.
IGI/4106 / Ballater Surgery / 20-Aug-15 / 4000 / The surgery’s bi-annual newsletter is emailed to all patients whose email addresses we hold. This has been done on many occasions in the past, using bcc and is considered a routine procedure, so therefore no special measures were in place. Patients can also subscribe to the newsletter via our website which they then receive securely.
The email addresses were downloaded from EMIS to Excel to be made ready (semi-colon to be inserted between names) for a mass email to be sent. There were 4159 email addresses on file.
Due to the volume this was split into 4 separate emails.
The email addresses were copied and pasted into the ‘to’ box and not the bcc box, for each of the 4 emails sent. On the fourth occasion the person sending the email realised what they had done and alerted the Practice Manager.
At the same time the recipients of the first email starting calling and emailing back to alert us to the error we had made.
The PM contacted the MDU for advice, who advised to send another email (this time bcc) explaining we had made a data breach and to apologise. Unfortunately in this email we didn’t state what the data breach was, which caused us to send further individual emails to patients who requested further information.
The practice then entered the incident on the HSCIC G Toolkit Incident Reporting Tool the same day.
Approximately 150 emails were returned undelivered as we had recorded the incorrect email address. / Patient email addresses revealed to 4000 patients
IGI/4148 / NHS Bedfordshire CCG / 14-Sep-15 / 1 / Declaration of Interest form contained details about a member of staff's mental health/counselling. The form was given to a P.A who uploaded the details onto the CCG's public facing website. A review was undertaken of the entries and this particular entry was found and taken down. / Member of staff's personal confidential information e.g. “receiving counselling/therapy services from South Essex Partnership Trust, Mind BLMK and Step-by-Step”
IGI/4098 / SOUTHERN HEALTH NHS FOUNDATION TRUST / 03-Sep-15 / 1 / It has been reported by an in-patient that a hospital cleaner recognised him and has told her husband about the patient's admission to hospital and the husband has disclosed this information with other close members of their community. As a result the patient has alleged he has received a number of text messages enquiring about his mental health from within his local community.
The cleaner is an employee who is contracted by the Trust to provide a housekeeping and portering service. / Patient name and name of admitting hospital
IGI/4068 / MERSEY CARE NHS TRUST / 24-Aug-15 / 170 / Unauthorised disclosure of volunteers’ home email addresses / Unauthorised disclosure of 170 volunteers’ email addresses - email created as a "group email" instead of being created as bcc.
IGI/4197 / AVON AND WILTSHIRE MENTAL HEALTH PARTNERSHIP NHS TRUST / 25-Aug-15 / 1 / Discharge letter sent to wrong address / Discharge summary of one patient
IGI/4373 / Sheffield Health & Social Care NHS Foundation Trust / 25-Sep-15 / 1 / A report written by the Trust in support of a service user’s claim was mistakenly released to another person as part of a subject access request. / Report written by the Trust which contained the service user's personal details and information relating to their mental health.
IGI/4052 / The Moorcroft Medical Centre / 13-Aug-15 / 2 / Copies of 2 patient notes were requested by authorised solicitors. Copies accidentally forwarded to incorrect solicitors. Error identified and notes recalled. Notes accidentally released to a controlled environment. Release of notes had an audit trail and recipient solicitors acting in accordance with practice's wishes. Solicitor for first patient has returned incorrect notes in full. Second solicitor is returning their incorrect notes immediately.
Both sets of complete copies have been returned to the practice and now forwarded to correct solicitors. / Print off of medical records
IGI/4123 / CITY HOSPITALS SUNDERLAND NHS FOUNDATION TRUST / 25-Sep-15 / 22 / The Trust has implemented an electronic solution which safely delivers correspondence to the majority of GPs it works with. There are some GPs which are not yet configured to this solution (generally those within Sunderland CCG and North Easington catchment areas), and these letters are still currently issued in paper form. For these, batches of letters which are to be issued to GP practices are printed centrally and are folded, enveloped, and delivered to GP practices each day.
2 separate envelopes containing letters which were intended for 2 different GP practices have instead been delivered to 2 different patients’ homes (each one being registered to one of these GP practices).
A review of the incident has identified that this is due to an administrative error. Instead of folding the letters with the GP’s name and address for each batch to be placed in the windowed envelope, they have instead been folded with the first patient of each batch having their address in the window of the envelope. This means that 2 patients have received a copy of their letter which was meant to go to their GP, and each patient has also received other letters for other patients which were meant to go to their GP that on that day as part of the batch.
Both patients who were in receipt of the letters have:
• Patient 1 – Called CHS immediately. The letters (Batch = 18 letters) were personally collected that day from the patient’s home. These have since been refolded and reissued to the correct GP practice – Received.
• Patient 2 – Called and attended the GP practice who was supposed to have received the letters in the first instance. This GP practice contacted CHS to highlight that they had received the letters from the patient (Batch = 4 letters) – Received. / Patient identifiable information on letters including name and address, along with clinical information contained within each letter.
IGI/4053 / BIRMINGHAM AND SOLIHULL MENTAL HEALTH NHS FOUNDATION TRUST / 23-Sep-15 / 1 / Letter posted to incorrect address containing sensitive data / Assessment letter containing sensitive personal data regarding a child
IGI/4156 / HINCHINGBROOKE HEALTH CARE NHS TRUST / 15-Sep-15 / 50 (total) 20 & 30 / Incident 1 - Handover sheet found in the car park, attached to the handover sheet was a piece of paper containing personal details about the owner of the handover sheet.
Incident 2 - Handover sheet found outside the Trust in an area predominantly used by staff. / Incident 1 - There are approx. 30 patients detailed on the sheets. The name, Hospital No and DOB are listed and some information about the presenting illness, and treatment plan and social situation. There are clinical handwritten notes.
Incident 2 - There are approx. 20 patients detailed on the sheets. The name, Hospital No and DOB are listed and planned treatment. There are also some hands written notes.
IGI/4032 / BASILDON AND THURROCK UNIVERSITY HOSPITALS NHS FOUNDATION TRUST / 12-Aug-15 / 1 / A patient attended the Trust's Maternity Assessment Centre (MAC) for a scheduled appointment. The patient discovered a few copies of documents relating to another patient in her notes.
Patient A attended, refused to wait for the doctor and left against medical advice. The midwife advised that the patient A make another appointment. The midwife photocopied the scan report and a copy of the signed 'Discharge Against Medical Advice' form and attached it to the diary on MAC for the date that the patient was due to return for their appointment.
Patient B attended MAC and during her visit advised she had another patient's documents in her notes. From the initial 24 hour review, it appears these documents were accidentally placed in patient B’s notes. / Photocopy of scan report containing patient name, Dob, address, hospital number, brief medical history of patient (3 lines), gestation details, and Foetal Wellbeing Scan (size of head, femur length, etc.).
Photocopy of chart - containing patient name, DOB, hospital number and graph showing foetal weight.
Photocopy of Irregular Discharge Against Medical Advice form, containing Name, Address, and signature.
All 3 documents relate to the patient A.
IGI/4110 / HEART OF ENGLAND NHS FOUNDATION TRUST / 28-Sep-15 / 60-70 / Handover and other documents found at Royal Wolverhampton Hospital. Documents found by staff, it is thought that they had been taken in by a doctor to shred. / Handover sheets for approx. 60-70 patients.
IGI/3990 / HINCHINGBROOKE HEALTH CARE NHS TRUST / 10-Aug-15 / 20 / Patient handover sheets found by a member of staff in a car park predominantly used by staff. A Consultant found the 2 sheets of paper folded together in the car park on his way into work. He handed the sheets to his secretary who in turn handed them to the Ops team involved to raise an incident. / There are approximately 20 patients detailed on the sheets although it looks like more, the one sheet is an update of the other and contains some duplicate information. The name, Hospital No and DOB are listed and some basic information about the presenting illness, and treatment plan, the rest of the information is clinical and not easily deciphered by the untrained eye.
IGI/3970 / THE QUEEN ELIZABETH HOSPITAL KING'S LYNN NHS FOUNDATION TRUST / 24-Aug-15 / 1 / A letter containing sensitive information regarding 1 patient was sent to the wrong address. A member of the public telephoned the Trust’s Occupational Health department to say that she had received a letter that should have gone to her neighbour. The house number on the letter was incorrect and as the name of the person it was addressed to was not visible, she had opened it. The receptionist offered to send a stamped addressed envelope for her to return it, but the lady stated that she would shred the letter. The incident is currently under investigation. / Occupational Health report including name, address and GP diagnosis
IGI/3873 / Gravesend Medical Centre (G82780) / 04-Aug-15 / Not known / Bin bags of confidential information left in the side street by a local pharmacy and found by member of public. This is not our pharmacy but patient details contained were likely to be belonging to our patients. I was called to reception by a member of the public who lives adjacent to the medical centre and has access to our shared courtyard. He had difficulty getting out of the back gates from the courtyard into the street because two blue bin liners full of rubbish were blocking his exit on the street side.
Upon investigation it was discovered that the waste was patient information in the form of letters, labels for medicine bottles, medicine bottles and other waste. I realised that the waste had come from the pharmacy which is also contained within our building.
The member of the public who had opened up the bags proceeded to pull items out of the bags and read out patient names and medication details from the information contained within. He said this is a serious matter and that he had taken photos to report the incident.