Received someone else’s doctors letter in the post

[TheShyDeer]

I’ve recently been undergoing some tests at the hospital and have been waiting for a letter from a consultant who has recommended a referral to a different specialist. The letter arrived today with another women’s letter in the envelope. The letter was addressed to her doctors. Im going to call the women’s doctors tomorrow morning and tell them I have received this letter which they should have.

I’ve searched the women on Facebook and want to send her a message to tell her, I actually recognised her from the waiting room. is this strange? I’d like to know if all my details had been sent to a random person (name adress DOB doctors NHS number etc). Obviously once I’ve spoke with her doctors I will send it onto them or however they advise.

YBU- don’t message her
YNBU - message her

Dont message her; message the doctors.

Its their GDPR breach.

So your letter arrived, but enclosed was also another woman's letter?

Don't message the women contact the hospital and GP and let them know what has happened.

Don't contact the lady, just call the surgery and let them know, they can arrange for it to be re-sent to her.
Let the surgery investigate how it happened

Yes. I received both mine and her letter in the same envelope.

Oh no! Yeah I'd just drop the letter at the GP if it was close by, or shred it.

Don't contact the woman! Huge gdpr accident from the hospital x

Major GDPR breach. Do not contact her. Contact both the dr who sent the letter and the one it was addressed to.

I know it is strange to message her but I suppose what I’m trying to say is I would want to know and I’m not convinced the doctors/hospital will inform her.

No don't contact her. There's a chance you might have got the wrong person or she needs to get the information in the letter from her doctors. Contact the doctors like you plan and then do what they say to do with the letter. The doctors should inform her that this has happened.

If someone I didn't know messaged me on Facebook to say they had received a doctor's letter for me I would either think (a) they were trying to scam me somehow or (b) that if it was true they must have read it all in detail in order to be able to find me online - it feels stalkerish and a further invasion of privacy. You've done the right thing, but leave it there as it's for the surgery to sort out now and they are obliged to tell her what happened anyway.

They have to tell her

Companies have an obligation to record or report any breach. Contact her doctor and advise them this is what they need to do, so they dont try and hide it

Once you notify the practise they will be required to inform the other patient of the breach and they will need to report it to the ICO. https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/personal-data-breaches-a-guide/

They will tell her as its a big mistake and she will feel much more relieved if she knows the other woman shredded the letter and didn't read it or figure out who it was.

Call the hospital ASAP and the gp Dr's secretary as well if appropriate

Why would you contact her on Facebook? How intrusive!

Agree with this entirely

As others have said this is a data breach. It is the responsibility of the organisation that sent the letter to deal with it and that should include assessing the informing the person whose data has been breached and potentially also informing the ICO. I'd report it to the Data Protection Officer (if you google the name of the hospital/health board and data protection officer you should find contact details) because that should guarantee that it is dealt with in line with the law and not brushed under the carpet.

Thank you everyone.
I didn’t realise they would have to tell her so I will just call her doctors in the morning and take it from there.

I am obviously part of the minority who would appreciate knowing who had my details. My anxiety would not cope very well with wondering who had my details and it would cause me endless sleepless nights 🤦🏼‍♀️ I understand this wouldn’t be everyone’s response which is why I reach out on here to gauge what others would think what is “normal”

Fair enough that you have taken it on board - I do think that having had her privacy already invaded, you would effectively be doing the same thing again to track her down online.

Interesting that you say that you would want to know who had your information - in the scenario of contacting someone online you would know their name, but you wouldn't know anything else about them - they would still be a stranger. So I am not sure how you would find that comforting? I'm not having a dig, it just doesn't resonate with me because you still wouldn't know anything about them.

I’m fully aware it’s a data breach and the organisation has a duty to report it and inform the relevant person. But the op contacting her on Facebook is irrelevant to correct procedures and would be viewed by many as intrusive and unwelcome.

I would feel very uncomfortable being contacted like that over something medical as its just so personal. If you report it to the hospital who sent the letter they will send another letter and address the breach

I admit I did once track down someone whose mobile phone bills were being sent to my house. I tried calling the provider but they wouldn't talk to me because I wasn't the account holder. So in the end I found him on Facebook, sent a message, his flat was nearby and address very similar (imagine I'm House 3 Apple Street and he's Flat 3 Apple Court). I stuck them through his door and I presume he sorted it as I didn't receive any more. I wouldn't have messed about with someone's medical info though.

Honest answer, if you can’t sleep at the thought of someone else getting your details, seek help. You shouldn’t live your life like that it must be exhausting

Any GDPR breach has to be reported to the patient even when it causes distress and, in my opinion, they'd be better not knowing.

This happened to me! With smear test results 🫠. The person who received them contacted me on Facebook. The GP could not have been less interested! I was glad she told me, because I don't think the surgery would have.

As someone who’s had to deal with this in the nhs, the other person will be contacted. A DATIX incident will be completed and it will be dealt with. You won’t be informed of the outcomes, as it is (ironically) confidential, but they should tell you that they are going to follow gdpr and the policy and offer you the chance to raise it as a concern or complaint, but as your data hasn’t been breached there isn’t necessarily a complaint to you to answer and so you’ll just get a fairly short outcome and brief idea of lessons learnt and how they’ll stop it happening in future.

Theres a whole load of gdpr, informing relevant people, directors oversight and all sorts that will happen.

That’s what we do locally.

The person whose data was shared will be contacted, apology issued, process explained and offer for complaint / concern and details provided for that.

NHS duty of candour covers this, it’s all about not covering things up.

It’s a crap thing to happen, but usually human error and leads to conversations about double and triple checking before sending.

A lot of services are moving away from paper and digital only communications will go some way to resolve it.