I've just been sent the full medical records of another person

[Chantelli]

I asked for a report and medical reports under the FOI. I have been emailed a pdf of another person's full medical history instead of my own. The email was unencrypted and the name completely dissimilar to mine. I have emailed back and no response.

Surely this is illegal?

oh god don't get me started on the GP receptionists bellowing out your business for the entire queue behind you and everyone in the waiting room to hear, or trying to get you to do so. I was in the queue at mine the other day when a poor bloke was trying to make an appointment. it was bad enough before but now you have to stand behind a barricade of plastic chairs and tape and the receptionist couldn't hear him, through his mask so after about 6 trys he had to bellow out ERECTILE DYSFUNCTION!! with accompanying hand gestures.

I agree with SNAFU. The posters who are trying to be “kind” and saying that we’re all human beings and everyone makes slip ups are missing the point - we know that everyone is human, we know that simple mistakes happen, but if you’re in a situation where tiny mistakes can cause big problems then you need to design them out of the process, or at least put checklists in place to minimise risk. That’s why this needs chasing up, not because some evil person made an error (while trying to stuff two separate envelopes while simultaneously answering the phones and staffing the reception).

The flip side of such a lackadaisical attitude to data protection is how much of what they do have is right ?

I had a delay of over a year getting a consultant appointment because the hospital kept sending the letters to an old address. (That's a story in itself).

Off topic but I agree about the problem caused by masks in pharmacists. I’ve had to collect a few prescriptions in Boots recently, and they’ve all taken three times as long as usual because with both parties wearing masks, having to stand back one metre from a plexiglass screen, and loud music being played (to help with confidentiality?) every sentence has to be repeated at least three times.

lets get this into perspective. 1 record sent to the wrong person is not a severe or systemic failing under GDPR.

half a million records is a breach. The BA data loss was a serious breach, the Talk Talk hack was a serious breach.

Tell them they have sent the wrong record, tell them they need to self report to the ICO.

the point about encryption is interesting - i assume that you have the ability to connect with an encrypted mail server, have published your public encryption key or subscribe to something like egress?

Password protection is almost laughably easy to break now.

I don't think encryption even helps that much in these situations. All the wrong medical records we've had at work have been password protected I think, usually with the password sent in a separate email and sometimes to a separate colleague. Then we've opened them with a password to find its someone else's records. Or what sometimes happens is x pages of the right records then suddenly a load of records belonging to someone else in the middle (not always immediately self-evident) and then the last few pages is the right ones again. And that kind of thing.

the point about encryption is interesting - i assume that you have the ability to connect with an encrypted mail server, have published your public encryption key or subscribe to something like egress?

Not really ...

And anyway, most organisations quite blithely send the password in the email.

And judging by the skills being lost versus skills being recruited, things aren't going to get better anytime soon.

I really don't see the point of sending these things via external encrypted websites like Egress. If you're going to attach the wrong documents to an email by mistake, what difference does it make that's it's gone via the external site first?

What I don't understand about pubic authorities that use these is: what right do they have to send personal information to the owners of the encrypted site? They never seem to ask permission in my experience.

@SNAFUandFUBARsimultaneously ; That's known as a 'never event', as in 'something that should never have happened'.

My local council now uses a secure system for sending subject access request information.
Might be something to do with real incompetence the year before last.

Yes it’s really bad. Do you want to risk someone’s job over it?

Someone will lose their job over that

I’m in the it was an error we are all human team.
My youngest son has been volunteering at the hospital for the last 5 months whilst Covid has wreaked havoc amongst our nhs and what he initially assumed was running errands turned into very much more,the staff and services are stretched so very much.

We are in a pandemic I think mistakes and errors will happen.

Report to the CQC and local PALS. Someone is unlikely to “lose their job” over something if it’s a one off however of the procedures they followed were not clear this should be improved. To be sure the circumstances of what occurred are clear and given the full account of events you should complain yourself.

@whataboutbob

Leave it at that? Sorry but No, it's a major Data Protection breach. It must be dealt with as such

In your shoes I would actually just confidential waste what you have received. But then I'm quite superstitious and wouldn't want to bad karma of causing someone to lose their job.

This happened to me once I got sent a letter but the letter was for another patient. Full name and details included. I sent him an iMessage and a photo of the letter informing him that I was sent it just in case it was important. He thanked me. Not sure if he complained to the hospital or not though but I would have been fuming.

I did a brief stint for an organisation that processes medical records and scans them in to a computer system. Among these records were photos of a woman pre and post breast surgery, a graphic penile injury... Horrid things to look at and could be devastating to those involved if they arrived in the wrong hands.

Yes, a massive cockup. Tell them. Any harm done? Do you particularly want heads to roll over this?

It’s shocking that they haven’t even responded to your email after such an unlawful breach!!
Last year I had to move my 2 year old to another GP surgery after they gave out her medical history by mistake.
When I was made aware of it (and not by the surgery), I contacted the practice manager there who basically had the attitude of ‘these things happen’ and even had the cheek to ask me how I would stop it happening if it was my workplace!? 🤯
Sadly I didn’t complain to the ICO as I had a lot on at the time but it’s no excuse really.
Mistakes happen but one would at least expect an apology or, in your case, a bloody response! It’s just beyond inadequate to not even address it.
My advice is to contact the ICO and CC in the Chief Executive Officer of the Health Trust stating that you even emailed to bring it to their attention etc...
It’s a public disgrace IMO.

I never understand why people say 'But they didn't mean to' as if its some sort of justification. My baseline presumption was that your fuck-up wasn't intentional, and my anger level is proportional to that - can you imagine how much angrier I'd be if I thought you MEANT to do this shit?!

Glad you have had an answer OP. They sound a bit shit though!

They are reporting it as a breach and were unable to send my records pass word protected or encrypted so i am picking up paper copies

That's surprising. If they can email a PDF to you, then there are plenty of ways of sending a secure email - to ensure that you get it, that it can't be intercepted etc and that steps are taken to ensure that only the recipients email receives it.

Or they could just post it to you - which relies on them having the correct address.

@chomalungma

They are reporting it as a breach and were unable to send my records pass word protected or encrypted so i am picking up paper copies

That's surprising. If they can email a PDF to you, then there are plenty of ways of sending a secure email - to ensure that you get it, that it can't be intercepted etc and that steps are taken to ensure that only the recipients email receives it.

Or they could just post it to you - which relies on them having the correct address.

And delivery by post would also depend on the postie delivering to the correct address unlike my postman who regularly post others letters through the letterbox!

@Pobblebonk

I really don't see the point of sending these things via external encrypted websites like Egress. If you're going to attach the wrong documents to an email by mistake, what difference does it make that's it's gone via the external site first?

What I don't understand about pubic authorities that use these is: what right do they have to send personal information to the owners of the encrypted site? They never seem to ask permission in my experience.

I think it's more to do with the encryption security you get vs the encryption with email attachments.

If you attach an document to an email, then it's not encrypted.

They don't need permission to use something like Egress - although there is an issue if it's not UK hosted under GDPR.

Plenty of companies use SharePoint to host your data - and they don't ask your permission for that. GDPR is not just about consent when it comes to data.

And delivery by post would also depend on the postie delivering to the correct address unlike my postman who regularly post others letters through the letterbox

Or the GP ensuring they have updated your address - and not sending out information to old addresses.