I've just been sent the full medical records of another person

[Chantelli]

I asked for a report and medical reports under the FOI. I have been emailed a pdf of another person's full medical history instead of my own. The email was unencrypted and the name completely dissimilar to mine. I have emailed back and no response.

Surely this is illegal?

As above.

Total breach of Data Protection Act.

I've just had similar - my records and some one else not even in the same county were mixed - she was getting my prescriptions and I was getting hers. Not the same name, town, county or GP!

They don't need permission to use something like Egress - although there is an issue if it's not UK hosted under GDPR.

But why not? It entails putting highly confidential information into the possession of an offshore company.

Aside from reporting the breach to the ICO and the DPO of the organisation, they have demonstrated they are not using "appropriate technical measures" to send sensitive data. This is huge and a must have for all data transfers.

lets get this into perspective. 1 record sent to the wrong person is not a severe or systemic failing under GDPR

Yes, let’s get this in perspective.

ICO will look at systemic errors - and if failure to protect and send password in seParate email is a systemic issue, then that is an important perspective (compared with sending one letter manically to the wrong address )

'Lots of merry hell and shit flying around. This is a breach and someone made a mistake. It should be reported. The end.'
^^
Agree with this. It will be reported as an incident, investigated, preventive precautions put in place and an apology issued. What more does anyone want??

But why not? It entails putting highly confidential information into the possession of an offshore company

It's got UK based centres - and it holds the appropriate security certification.

If it was sent via email - where do you think Yahoo has its servers? Google? etc. How many internet companies have UK based servers?

www.egress.com/security/certifications

I'm not sure why they don't have even basic encryption on delivered mail, that has a fairly simple decryption using the same level of identification required over the phone: i.e.: to unlock this document you need your surname, dob and post code. Then if the document is blind you can try putting the information in and if it doesn't work, email back request a new copy

If people are interested in where their data is stored when it comes to email servers, Facebook, Google etc....

www.theguardian.com/technology/askjack/2020/feb/27/can-i-move-my-data-to-the-eu-before-google-shifts-it-to-the-us-Brexit

Christ, can no one make human errors anymore? Nobody has died. No harm will come of this. If it was me, I’d simply inform whoever had sent these documents of the mistake. I’d have no interest in reading their content out of respect for the other person. Why does the other person even need to know what’s happened?

Why does the other person even need to know what’s happened?
Well, I'd want to know if my private information is being sent out willy-nilly.

No reply as they are currently running around like headless chickens, bricking it and pointing fingers trying to damage limitate and design a means of sweeping it under the carpet

Why does the other person even need to know what’s happened?

Because it’s the law

@ouch321

I think I must be the only person that would not really care if Mrs X from a hundred miles away saw my medical records.

What could she do with them that would benefit her?

I feel like this as well but we seem to be in a minority. I suppose some people would be really upset and I can imagine why but I really struggle to get so get so get up about this sort of error.

I guess it depends on what is in your medical records as to how much you 'care' and to whom they were delivered.

There is possibly extremely sensitive information in there, possibly pertaining also to your children etc. They could have ended up in the hands of anyb8of any type of character.

Not to mention a full medical history and individual personal identifiers that, if in the wrong hands, could be used for all sorts of non desirable means.

OP currently knows this person's universal NHS number, I bet the person in question doesn't even know that

There could be a whole range of reasons for this data breach from courts day on the job to downright incompetence. People are quick to assume the latter.
@BrimFullOfAsher
I don’t know my national insurance number but I’m sure a lot more problems can occur if someone gets hold of that than an NHS number.

*first day on the job

There are scumbags all over the world maliciously trying to get our details. They are the ones who deserve prosecution, not the people working for organisations assisting us in our day to day lives. We should be going easier on them when these rare events do happen. It’s as much the system that has failed in its checks

I'm not suggesting that anyone deserves to be punished at all. Errors do happen.

But this IS a serious error and there are clearly failures in their processes to safeguard from this kind of incident. And that's at more than a personal level.

I can almost guarantee that the person who posted them wasn't the person who printed them, and they probably weren't the person that processed the request.

The whole system needs to be investigated to identify the root cause and put in place safe guards to stop it happening again.