To think it’s not OK for the NHS to “accidentally” breach my confidentiality

[Torple]

So, I arrived home from work the other day to find a letter that, long story short, said that during a routine IT upgrade, an outside contractor working for my local NHS Trust had accidentally emailed my entire medical records to another outside agency, who had, in turn, emailed it to five people working on the upgrade.
According to the letter, they were immediately asked to delete it so the person in charge is confident they did.

I admit, at first, I was a bit “meh, that’s annoying”. But now I’ve had time to think about it, I am actually really annoyed, I think partly by the fact that the person who sent the letter is part of a department I have literally never had dealings with me in my life, so I’m now wondering if they have actually mistaken me for someone else (my name isn’t common though).
Or, has someone I have no need to be in touch with been given information about me they don’t need?
But also, I guess I’m worried that there’s a chance one of these people might have been able to do something untoward with this information, identity theft or something like that.

AIBU to be annoyed, or am I overreacting?

For context, about 10 years ago, I had major surgery that went slightly wrong due to human error, which has left a permanent effect and I never complained or made an issue because the doctor apologised in person as soon as it was discovered.

But this, for some reason, seems to have annoyed me more.

Aside for asking for clarification, what would people suggest I do in my shoes?

Was it from your local trust data protection person? This must be investigated... as it happens I've been in touch with mine, as I received a phone call for a breast scan that I knew nothing about which turned out to be for an older woman at a different GPs. So either my name and number is on someone else's records or they mixed me up with with someone else with the same relatively unusual name under the same Trust. DH found out the data protection contacts and they called me back today to investigate, and that's much less serious than what happened to you. I don't know if you might have the right to know who the other parties are (if they haven't told you) but I think you should find out if you can,

playing armchair psychologist, I think you might not be as 'over' the original mistake as you think. I can't imagine being upset about random people knowing about surgery that they've probably already forgotten about by now. I can imagine having this incident rake up all sorts of negative feelings around the original mistake.

But people are different, and you op are not me!

An NHS breach of confidentiality should be taken very seriously. No one should be able to access your medical records unless they had direct need to. I would contact PALS and go from there

You could report to ico, although they may have already done so, hence the letter.

Echobelly no, it was from the head of the smoking cessation department. I have never smoked in my life.
So EITHER it’s not me, or it is but another person who has no need to know I exist now has my contact details at a bare minimum, probably a lot more information as well.

morphene I’m not so much worried about the surgery thing. My point was more that that caused a permanent physical effect (nerve damage) and I was less annoyed than I am by this that will have no physical effect.
But I don’t know why this annoys me more. I think possibly because it sounds avoidable?

Unacceptable. I would insist on a meeting with the trust’s data protection officer. I would want

• more info on what happened and in particular how it got emailed on again
• confirmation that they have got attestations from those who received it about what they did imwith it and it has been permanently deleted (they clearly haven't)
• confirmation this has been reported to ICO

I would want an explanation of why, having received your records in error, the third party emailed them to five other people. And who these people were (as in were they other patients/members of the public, other contractors, GP surgeries, etc) and I’d want to know how the NHS were going to ensure that those people really did delete it, not just “well we’ve asked them to”.

Mistakes happen. They shouldn’t but they do. But mistakes on top of mistakes are very concerning. Of course nobody should’ve emailed your records to anyone unnecessarily in the first place and I’m not minimising that.

YANBU, of course you should be able to expect your medical records to be held securely.

I’ve recently been in a position whereby countless people I have never met have had full access to my medical records. There is something about this that feels so intensely intrusive even though I’ve nothing whatsoever that I’d be embarrassed to discuss.

I would also be asking for a meeting to fully discuss this major breech. Complaints can keep standards from dropping so have no hesitation in insisting on a full explanation and apology.

Is it possible that the Trust smoking cessation officer is also a data protection/information governance lead? Lots of clinicians have multiple roles that don't always seem related...might explain their involvement if you've never been involved with that department. (Doesn't make the breach acceptable though obvs).

Sounds like they were testing something and yours got emailed instead of the test data.

That would explain emailing it on. Test data has to look real. It's actually quite impressive they caught it at all.

cdtaylornats I think that was what happened.

Dear OP,
A data breach such as this should be investigated through the Trust's serious incident process and a report produced which should be shared with you. The letter should include details of who you can contact for further information and how you can send in questions to be included in the investigation. I would be tempted to contact the information commissioners office to make sure the Trust has informed them. YANBU to be upset about this. We have a legal and ethical duty to care for the information our patient's trust is with and on this occasion the Trust did not do that.

"Is it possible that the Trust smoking cessation officer is also a data protection/information governance lead?"

Wouldn't that be explained though?
TBH I'd be annoyed if loads of people thought I'd ever been a smoker.

Yes, I would be VERY annoyed to, but would probably only take it further if the data was something that actually bothered me having been shared IYKWIM.

I work in the NHS in an area that had a major hack disabling a whole county not that long ago. Our security/firewall are now so tight and secure that nothing actually works any more. I am beginning to see how IT is a very double-edged sword

I would not necessarily need a meeting but I do agree with @TheClacksAreDown bullet points.

It is good to see they have operated under their duty of candour so I would feel positive they have taken it seriously and will have learnt from this.

Eh, no! Report it! Disgusting