Talk

Advanced search

I've just been sent the full medical records of another person

(170 Posts)
Chantelli Wed 16-Sep-20 16:39:59

I asked for a report and medical reports under the FOI. I have been emailed a pdf of another person's full medical history instead of my own. The email was unencrypted and the name completely dissimilar to mine. I have emailed back and no response.

Surely this is illegal?

OP’s posts: |
Sunbird24 Wed 16-Sep-20 16:41:40

Yes it is. Absolute breach of GDPR.

SequinsandStiIettos Wed 16-Sep-20 16:41:54

Data protection Act 2018 - completely in breach. Raise hell.

millymae Wed 16-Sep-20 16:45:25

It’s a massive breach of confidentiality on the part of whoever sent it.
No matter how inconvenient it might be to you, you really need to let them know ASAP.
Can you phone?

JamieLeeCurtains Wed 16-Sep-20 16:45:26

That breaches the Data Protection Act, yes. You can open a case with the office of the Information Commissioner online, who will investigate.

You wouldn't have used FoI for personal data, btw, it would have been the DPA.

yellowsunrise Wed 16-Sep-20 16:57:39

Good grief - and if they are that incompetent, they may have sent your details to someone else.

Sanitisethat Wed 16-Sep-20 16:59:10

Yes, massive breach of the data protection act. You should complain, they need to address it.

rottiemum88 Wed 16-Sep-20 17:08:37

As a PP mentioned, you received your data under your data subject access rights (DSAR), not FOI.

But in any case, yes it’s a breach of the DPA 2018/GDPR, so reporting it to the organisation who’ve committed the breach is the correct thing to do to enable them to conduct an investigation into how the mistake was made. As part of their response, they should ask you to delete the email and confirm back to them that you’ve done so. It’s an offence for you to do anything else with the data as it doesn’t belong to you.

Medical data falls under the definition of special category personal data, so the organisation may choose to report the breach themselves to the ICO; this really depends on their overall risk assessment of the breach though and has no effect on your ability to report the breach to the ICO yourself, though I wouldn’t expect any kind of response for something low level like this.

In your shoes, the thing I’d be most interested in is why the document wasn’t in any way encrypted/password protected and would ask the organisation to confirm that sending data unsecured In this way is in line with their standard policy, as this would be at odds with their obligation under the GDPR to keep the data they hold secure, particularly when in transfer, and may be of more interest to the Regulator than the details of the breach itself.

SabrinaSalem Wed 16-Sep-20 17:09:20

Yes this is a data protection breach and they should be taking it extremely seriously. The organisation in question probably has a data protection officer, see if you can find out on their website. Failing that, their legal team.

If you're concerned they're not taking it seriously you could contact the ICO helpline: ico.org.uk/make-a-complaint/
It's a bit of an odd situation though because you don't want to complain about the misuse of your own data, but someone else's.

Pobblebonk Wed 16-Sep-20 17:11:16

You need to check that they haven't sent your records to the person whose records have come to you.

FelicityPike Wed 16-Sep-20 17:13:15

Lose your shit & raise merry hell.

Cocklepops Wed 16-Sep-20 17:13:38

Okay. That’s an epic data breach. Which organisation has sent you this?

Cocklepops Wed 16-Sep-20 17:14:05

As in is it NHS, a law firm etc

CuriousFluff Wed 16-Sep-20 17:16:29

Yes raise merry hell as it implies someone's got yours!

OnceUponAThimble Wed 16-Sep-20 17:21:55

The organisation has 72 hours to notify the person whose data they have breached, of the breach, once they become aware of it. That's legislation.

Handsoffisback Wed 16-Sep-20 17:22:00

Oh my Christ. I’d be contacting said other person for them to raise Merry hell also. What a disgrace

Motorina Wed 16-Sep-20 17:25:29

Please contact the Information Commissioners Office with regard to this. Google will find them and they have an easy web-form that you can report on.

doublehalo Wed 16-Sep-20 17:26:19

And also, where's yours been sent??

SunshineCake Wed 16-Sep-20 17:29:22

I get it is against the law but before everyone stresses out the OP more. What difficulties would it cause of a stranger reads these records, *@Chantelli?

AlwaysCheddar Wed 16-Sep-20 17:29:58

Someone is shitting themselves!!!

Standrewsschool Wed 16-Sep-20 17:30:26

Speak to the Information Governance Officer at the organisation.

Highlights12 Wed 16-Sep-20 17:33:08

Its obviously been done in error. Let the organisation know asap

GoatsInBoats Wed 16-Sep-20 17:35:39

I was recently expecting a letter from a hospital with an appointment booking in it. I received a hand-addressed hospital envelope with someone else's name on, but with the correct address. I opened it just in case they'd made a mistake with the name, to find it was indeed meant for someone else, and contained really sensitive information.

Of course, I'm now wondering whether my letter has gone to him instead.

whataboutbob Wed 16-Sep-20 17:40:20

It was sent in error. People make mistakes. In all likelihood they will know full well the gravity of their mistake and be quite scared now. Contact the sender, explain it’s been sent in error, delete and leave it at that surely? Earlier this year I was sent a letter meant for someone else, not medical but financially sensitive. I deleted and let the sender know.

Happyhippy99 Wed 16-Sep-20 17:40:27

Are the contact details of the person whose records you’ve been sent actually visible on the records? If so I’d contact them directly. I’m assuming the records were sent from a hospital ? The records department managers will be lying toads & will try to pass the blame & wriggle out of this very serious error. It’s highly likely that the person whose records you have been sent will never be told, unless you tell them. Then go right to the top, ( chief executive if it’s an NHS trust) to demand an explanation. They WILL be evasive but just keep on demanding for an explanation. Oh and promise them the press if they are hesitant.

Join the discussion

To comment on this thread you need to create a Mumsnet account.

Join Mumsnet

Already have a Mumsnet account? Log in