I've just been sent the full medical records of another person

[Chantelli]

I asked for a report and medical reports under the FOI. I have been emailed a pdf of another person's full medical history instead of my own. The email was unencrypted and the name completely dissimilar to mine. I have emailed back and no response.

Surely this is illegal?

Wow! That is shockingly incompetent.

@DGRossetti

* the person responsible was punished incredibly severely*

How would you “incredibly severely” punish an employee?

The organisation that sent you the wrong records by mistake needs to record this as a data breach and report it to the ICO.

an admin error
simple

@Nomorepies

Omg this is unbelievable. Of course it's done in error but that doesn't mean it's ok! It's not an oh well naughty naughty type thing! Would the PP saying this feel the same if the police did this with a sensitive case file or a bank disclosed your account history to someone else?!

Honestly it’s not great but there is a human being - maybe stressed, maybe overworked - who has made a mistake. Human error happens. No one goes to work in the morning hoping to make a massive fuck up. GDPR is important and there for a reason but this wasn’t done with malicious intent.

All the ‘raising merry hell’ etc. on this thread is so over the top. Contact the department, explain what has happened. Ask for assurances about your data and to be kept informed of any updates if you so wish, but there is no need to bay for blood.

[quote Afibtomyboy]@DGRossetti

* the person responsible was punished incredibly severely*

How would you “incredibly severely” punish an employee?[/quote]
I didn't say I would.

I was just noting that seeing as we keep seeing these - frankly ludicrous - breaches of peoples data, then maybe the present systems aren't fit for purpose.

I wonder when the last time an MPs medical details were sent to a constituent "by mistake". There must be a statistical chance of it happening ....

The ICO must get loads of reports - but don't seem to take much action. Unless they don't report all the action they take.

This happened to me, only my records were sent to another patient.

I had an apology from the surgery as soon as they realised, I was invited to a meeting and had confirmation from the person they were sent that they had been destroyed.

The surgery reported themselves for the breach.

There was no need for me to raise merry hell as I don't think the surgery could have dealt with in a better way.

Remember, times are stressful - it will be up to the patient who's information you received to take it forwards.

@chomalungma

The ICO must get loads of reports - but don't seem to take much action. Unless they don't report all the action they take.

They don't seem to do anything in response to a breach report in my experience. The threat of reporting to the ICO doesn't really mean much now as they have become so inundated with reports post-GDPR. As far as I can see the breaches are filtered by admin staff who acknowledge and say they will take no further action for any low level breach. I imagine only serious breaches get any attention from anyone higher up.

Absolutely do not contact the other person. You must inform the organisation. Contacting the other patient/person with something so sensitive should be delivered by the correct channels in the correct manner by someone who knows their vulnerabilities. So they can say what has happened, how it happened and what action is being taken.

When mistakes are made they go very, high up they are taken very seriously. The person who made the mistake will be informed and will be accountable professionally but personally, I have seen smaller errors than this and the stress can nearly break people. Breaches of confidentially are and should be taken very seriously indeed but there is a person at the other end and unfortunately human error happens.

@SunshineCake if you live in a village with one GP surgery for instance there's a good chance it might not be a stranger who got your records.

Breaches of confidentially are and should be taken very seriously indeed but there is a person at the other end and unfortunately human error happens

I do find it interesting reading the ICO reports - just to see the kind of thing that they 'get excited about'.

Biggest thing seems to be marketing calls.

@whataboutbob

It was sent in error. People make mistakes. In all likelihood they will know full well the gravity of their mistake and be quite scared now. Contact the sender, explain it’s been sent in error, delete and leave it at that surely? Earlier this year I was sent a letter meant for someone else, not medical but financially sensitive. I deleted and let the sender know.

I agree with this.

Let them know, delete and carry on with your life. You may make a similar mistake some day!

I used to work at an adoption charity where a colleague sent a prospective adopter's 'home study' report (basically a couple's entire life history, previous relationships, childhood experiences, every place they'd ever lived, details of finances etc), to the wrong email address because of a typo. If anything I'd say that was an even more serious breach than this one, and the colleague wasn't subject to any disciplinary action, and no fines were paid, though of course the incident was reported to the ICO.

I think the ICO seem more interested in things being reported to them timeously, and any action the organisation takes to ensure the cock-up doesn't happen again, in my experience.

Just to say, if you report to the ICO and you want a report back from them, you need to ask for an assessment.

In my voluntary role I open post (with a member of permanent staff) , because of the nature of the organisation we are often sent medical details, drug regimes, minutes of group consultations etc. If the envelope is marked confidential we obviously don't open it and pass it to the clinical manager. But I am horrified at how many times we open unmarked envelopes only to find confidential documentation inside. I now recognise a number of the originators purely by their postage imprints, even if the originating organisation isn't noted on the outside, I obviously pass them on unopened, they soon come back if they aren't confidential.

Iwish more places would invest in a rubber stamp to mark confidential material appropriately.

You have a duty to destroy what was sent and contact the surgery to let them know.

Do not contact the other person as you yourself will be in breech of DPA

It needs to be reported to improve practice. End of story

Report it and leave it there. The person responsible will be in serious trouble with the employer - it’s written warning/dismissal territory (the latter particularly if the person has had similar happen). Unless that person couldn’t give a shit about their job, they will be having sleepless nights worrying about it.

There’s just no need for all the drama I don’t think. It’s human error and yes it’s serious in nature but human errors unfortunately don’t pick and choose their level of gravity.

I think I must be the only person that would not really care if Mrs X from a hundred miles away saw my medical records.

What could she do with them that would benefit her?

@ouch321

I think I must be the only person that would not really care if Mrs X from a hundred miles away saw my medical records.

What could she do with them that would benefit her?

Inclined to agree. Causing shit for others would appear to be a past time for many!

I'm quite shocked people would expect someone to have a disciplinary over this. Have you never sent an email to the wrong person before? Or a text? That kind of thing? If you're very busy and tired at work, it's the same thing, these things happen. They always will happen. This happens fairly frequently in my large organisation (including sending and receiving emails meant for other external organisations) and I've never heard of anyone getting in 'trouble' about it before. I guess if one person was doing it repeatedly and the information was particularly sensitive then maybe they would but errors are always going to happen sometimes.