Care plan sent to What'sApp group

[NameChanger43]

Please tell me if this is outrageous or I'm way over thinking this. I don't want to be outting too much! I work in Healthcare caring for about 40ish people in a residential setting. A new person is coming to stay and their entire care plan was sent over a what'sapp group of about 50 people not all of who would be involved in their care. Notes included:

Full name
DOB
Address
Full and detailed medical history and medication
Incontinence care
Family and relationships
Behaviour
Money management and how they are being funded
Personal care
End of life/last wishes
Mental capacity... and much more

I know the importance of everyone knowing these details butsurely whatsapp is not secure. If my phone was stolen or lost anyone could read that (i do have a password).

How would you feel if this was your mum/dad/relative?

WhatsApp may be encrypted, but it doesn't comply with the complex legislation around healthcare data. For a start, the data is stored out of the country by a private company with a poor record with data compliance.

YANBU but the ico are unlikely to care unless there is a systemic issue and you have other examples.

what do you intend to get out of this, OP? Someone to lose their job?

I am sorry OP that you are in this position.cocklepops gives some good advice. I am a nurse and have never ever in all the places I have worked ( currently Nursing home) used Whatsapp to share info. Really shocked.

what do you intend to get out of this, OP? Someone to lose their job

Data protection breaches are important and need to be tackled.

There needs to be a way to ensure that they are stopped. It should be reported to the Data Protection officer in the organisation who can then take appropriate action.

Companies can face massive fines for GDPR breaches. There is also the potential personal impact.

what do you intend to get out of this, OP? Someone to lose their job?

I would imagine the OP's intention is that such data breaches don't happen again...

I’m pretty sure WhatsApp is more secure than email.. not saying it should be sent via WhatsApp necessarily but ??

InFiveMins you might feel a bit different if that was your personal care plan being sent to 50 strangers, many of them whom probably don't need to know the full ins and outs of it.

@InFiveMins

what do you intend to get out of this, OP? Someone to lose their job?

Nobody needs to lose their job necessarily. But they need to put in or enforce protocols for data sharing in the company.

I do hope this was a one-off error

Reported infivemims
Such a nasty reply to an obviously concerning issue.

It does probably break data laws.

However I don’t think the likelihood of someone using this data maliciously is that high though (or am I missing something)?

Can see better things for the care home and authorities to be spending their time and money on personally than investigating / defending this allegation.

Was it an isolated incident?

WhatsApp may be encrypted, but it doesn't comply with the complex legislation around healthcare data.

That's funny, pretty sure NHSX have recently said whatsapp is fine to use. We use it in a work capacity in health and social care.

Can see better things for the care home and authorities to be spending their time and money on personally than investigating / defending this allegation

Better they spend time and money now than on a massive court case or fines.

Information was shared on an inappropriate platform.
Information was shared with people that had no need to know.
Too much information was shared.

Whatsapp tends to save pics automatically in your phone. So possibly there could be 50 phones with that info, phones maybe accessed by children,friends,partners. The information is also available to be shared either by accident or maliciously.
There's also no way of tracking how the information is used or bu whom.

If you don't see an issue think about this, would you like your child's information ( incontinence issues,behavioural issues, MH or SEN issues , troubles with friends whatever) shared with the whole school staff on WhatsApp? Would you be happy that the staff has now a permanent hardcopy/proof of those issues?

@raspberryk

WhatsApp may be encrypted, but it doesn't comply with the complex legislation around healthcare data.

That's funny, pretty sure NHSX have recently said whatsapp is fine to use. We use it in a work capacity in health and social care.

www.digitalhealth.net/2020/03/clinicians-told-they-can-use-whatsapp-to-share-data-in-face-of-covid-19/

“The important thing, as always, is to consider what type of information you are sharing and with whom. And as much as possible limit the use of personal/confidential patient information,” according to a statement on the NHSX website

There was no need to send a care plan that can be accessed by staff on that shift.

You’re absolutely doing the right thing in reporting. Well done.

WhatsApp is considered really quite secure. Now it may not be the policy in your workplace. But I work in clinical research in the NHS and we are often required to send information back and forth via WhatsApp. It's considered more secure than our usual email addresses (I have two email addresses, one for my actual employer and one for my NHS trust - the NHS email is fine, but my employer's email is not - WhatsApp is considered safer by our data protection office because of the end-to-end encryption). But the difference is if everyone needed to know that information. If they did, it could be the safer option, depending on your data protection policies.

Aside from the shocking confidentiality breach, sounds like a potential disciplinary issue. At the very least she needs more training in data protection/ secure storage of data.

Is the person who sent it a nurse? If so she could potentially be reported to the NMC as preserving confidentiality is part of the NMC Code

Whatsapp in care settings is getting increasingly common and as someone who receives home care I hate it. Good for you for reporting it OP.

@InFiveMins

what do you intend to get out of this, OP? Someone to lose their job?

Not at all, I was surprised/worried when I saw it so I came to see if I was being unreasonable. Although there are many many more examples of breaches of privacy, safeguarding issues and neglect within the setting. So maybe someone somewhere needs to shake things up and maybe a new person looking into things would help people recieve the care they deserve. The new managers have had their role for 18 months and in that time 11 long standing and experienced members of staff have left the role. So it's not a case of one person messing up once and so I think they should lose their job

There was no need to send a care plan that can be accessed by staff on that shift.

And if you read my first reply you'll note I also said words to that effect in addition to the sentence on whatsapp and encryption.

"The important thing, as always, is to consider what type of information you are sharing and with whom. And as much as possible limit the use of personal/confidential patient information,” according to a statement on the NHSX website.
The guidance, endorsed by the Information Commissioner’s Office, the National Data Guardian and NHS Digital, also provides information on video conferencing and the use of personal devices.
The Information Commissioner has assured NHSX that she “cannot envisage a situation where she would take action against a health and care professional clearly trying to deliver care”, the guidance states.
Clinicians are advised they can use their own devices to support video conferencing for consultations, mobile messaging and home working “where there is no practical alternative”.
But they should take reasonable steps to ensure safety and protect patient data, including setting strong passwords; using secure channels to communicate such as apps that use encryption; and not storing personal or confidential information unless “absolutely necessary”.
“Information should be safely transferred to the appropriate health and care record as soon as it is practical to do so,” NHSX said."

Sounds like lots of information being shared - need to know and all that.

My DH works in IT security for the local authority, and he says you don't put this sort of info on WhatsApp. I'm sure I saw steam coming from his ears when I read your OP out to him! He also said this is why they don't allow users to use their own pen drives etc, because a data breach is such a big security risk, and this also had the client's name and other personal info on.

You definitely need to report it asap.

Awful please report this.