I've just been sent the full medical records of another person

[Chantelli]

I asked for a report and medical reports under the FOI. I have been emailed a pdf of another person's full medical history instead of my own. The email was unencrypted and the name completely dissimilar to mine. I have emailed back and no response.

Surely this is illegal?

[Sunbird24]

Yes it is. Absolute breach of GDPR.

[SequinsandStiIettos]

Data protection Act 2018 - completely in breach. Raise hell.

[millymae]

It’s a massive breach of confidentiality on the part of whoever sent it.
No matter how inconvenient it might be to you, you really need to let them know ASAP.
Can you phone?

[JamieLeeCurtains]

That breaches the Data Protection Act, yes. You can open a case with the office of the Information Commissioner online, who will investigate.

You wouldn't have used FoI for personal data, btw, it would have been the DPA.

[yellowsunrise]

Good grief - and if they are that incompetent, they may have sent your details to someone else.

[Sanitisethat]

Yes, massive breach of the data protection act. You should complain, they need to address it.

[rottiemum88]

As a PP mentioned, you received your data under your data subject access rights (DSAR), not FOI.

But in any case, yes it’s a breach of the DPA 2018/GDPR, so reporting it to the organisation who’ve committed the breach is the correct thing to do to enable them to conduct an investigation into how the mistake was made. As part of their response, they should ask you to delete the email and confirm back to them that you’ve done so. It’s an offence for you to do anything else with the data as it doesn’t belong to you.

Medical data falls under the definition of special category personal data, so the organisation may choose to report the breach themselves to the ICO; this really depends on their overall risk assessment of the breach though and has no effect on your ability to report the breach to the ICO yourself, though I wouldn’t expect any kind of response for something low level like this.

In your shoes, the thing I’d be most interested in is why the document wasn’t in any way encrypted/password protected and would ask the organisation to confirm that sending data unsecured In this way is in line with their standard policy, as this would be at odds with their obligation under the GDPR to keep the data they hold secure, particularly when in transfer, and may be of more interest to the Regulator than the details of the breach itself.

[SabrinaSalem]

Yes this is a data protection breach and they should be taking it extremely seriously. The organisation in question probably has a data protection officer, see if you can find out on their website. Failing that, their legal team.

If you're concerned they're not taking it seriously you could contact the ICO helpline: ico.org.uk/make-a-complaint/
It's a bit of an odd situation though because you don't want to complain about the misuse of your own data, but someone else's.

[Pobblebonk]

You need to check that they haven't sent your records to the person whose records have come to you.

[FelicityPike]

Lose your shit & raise merry hell.

[Cocklepops]

Okay. That’s an epic data breach. Which organisation has sent you this?

[Cocklepops]

As in is it NHS, a law firm etc

[CuriousFluff]

Yes raise merry hell as it implies someone's got yours!

[OnceUponAThimble]

The organisation has 72 hours to notify the person whose data they have breached, of the breach, once they become aware of it. That's legislation.

[Handsoffisback]

Oh my Christ. I’d be contacting said other person for them to raise Merry hell also. What a disgrace

[Motorina]

Please contact the Information Commissioners Office with regard to this. Google will find them and they have an easy web-form that you can report on.

[doublehalo]

And also, where's yours been sent??

[SunshineCake]

I get it is against the law but before everyone stresses out the OP more. What difficulties would it cause of a stranger reads these records, *@Chantelli?

[AlwaysCheddar]

Someone is shitting themselves!!!

[Standrewsschool]

Speak to the Information Governance Officer at the organisation.

[Highlights12]

Its obviously been done in error. Let the organisation know asap

[GoatsInBoats]

I was recently expecting a letter from a hospital with an appointment booking in it. I received a hand-addressed hospital envelope with someone else's name on, but with the correct address. I opened it just in case they'd made a mistake with the name, to find it was indeed meant for someone else, and contained really sensitive information.

Of course, I'm now wondering whether my letter has gone to him instead.

[whataboutbob]

It was sent in error. People make mistakes. In all likelihood they will know full well the gravity of their mistake and be quite scared now. Contact the sender, explain it’s been sent in error, delete and leave it at that surely? Earlier this year I was sent a letter meant for someone else, not medical but financially sensitive. I deleted and let the sender know.

[Happyhippy99]

Are the contact details of the person whose records you’ve been sent actually visible on the records? If so I’d contact them directly. I’m assuming the records were sent from a hospital ? The records department managers will be lying toads & will try to pass the blame & wriggle out of this very serious error. It’s highly likely that the person whose records you have been sent will never be told, unless you tell them. Then go right to the top, ( chief executive if it’s an NHS trust) to demand an explanation. They WILL be evasive but just keep on demanding for an explanation. Oh and promise them the press if they are hesitant.

[nocoolnamesleft]

That's an enormous breach.