What would you do if you got a copy of someone else’s confidential GP records

[Twinkletoesandspaghettios]

No poll just wondering exactly what you would do?

The summary care report was in with mine and had name, address, DOB, full medical history including details on social services and CAMHS involvement

I was once sent a prisoner's full medical records from his time inside, plus details of his release date and where he would be living. It was apparently meant for his GP but somehow came to our home address, addressed to 'The Doctor' and I opened it because I am a (academic) Dr. We don't have a GP surgery in the street or anything, so I had no reason to think it wasn't for me until I'd opened it. I rang the number on the letter as soon as I realised what it was and I could hear the person on the other end of the line going pale as I explained to her. She told me to shred it immediately and that it was an error by a junior staff member, and rang back a few hours later, basically to make sure I'd destroyed it. In retrospect, they were clearly mostly concerned with covering it up and I should have reported it, but this was many years ago and I wouldn't have known who to report it to.

It happens more than you think. Let them know about the error and return the paperwork.
Not ideal, but it is a human error.
I wouldn’t report above calling the office.

I certainly wouldn't contact the person whose data had been inappropriately shared with me. That would feel like an abuse of their private contact details by me, heaping one violation on top of another.

I'd just return it to the surgery and make sure I spoke to someone in the practice who seemed to be in a position to take proper note of the breach and act accordingly.

It was probably a stressed out receptionist who accidently fired it in a brown envelope. Yes not ideal but with all the ridiculous pressure GP surgeries are under do they really need the ballache of dealing with an admin error?

I have no doubt the GPS will have highlighted it and changed the practice so it doesn’t happen again going forward but what would reporting it actually achieve?

I would report it. Yes, no one was hurt and mistakes happen, but you don’t know if this data breach is happening a lot at this GP surgery. If you report it, they will have to investigate it and depending on the outcome, lessons will be learnt and improvements made.

Delete it.

Because that sounds better on soshal meidya…

They have a duty to report the breach. Email the practice copying in the practice manager and tell them what’s happened. They will either arrange to collect the papers or will ask you to bring them in.

I would. Would you want someone reading yours? It's really sloppy.

This is a massive error on their part and they should have to be held accountable.

they won’t do anything about it internally. I’ve worked in enough schools and medical settings to know that if something can be covered up, it will be.

This is incredibly common. I work for a national personal injury firm and we frequently receive other patients data mixed with our client data.

Contact practice manager as a matter of urgency; inform them you have been the recipient of a data breach and that your contact should be considered an official complaint. Inform them that they have 15 working days to respond to your complaint setting
out how they intend to rectify the data breach or you will inform the ICO.

A similar (not as much data but enough) happened to me this week and I did the above; the practice manager contacted me within 24 hours and explained they had removed the data from my medical records, would discuss the matter with their DPO as to whether they needed to inform the ICO themselves and also contact the patient whose data they breached (in my case, someone else’s online triage form, including their NHS number, case identifier and DoB, as well as the content of their triage form was uploaded onto my medical records, I was sent a text containing their data along with a decline to prescribe the requested medication). He also said they would let me know of the outcome of the discussion about whether they will refer themselves to the ICO m.

You need to ask yourself, what would I want done if it was my data? It's gone to someone in the same community, which adds a layer of risk. I'd want it reported to the ICO, if it was my data.

I don't think individuals can 'report a breach' to the ICO. It is the data handling organisations that can/must report the breaches they have themselves committed, if the breaches meet certain standards of seriousness.

Individuals can make complaints to the ICO but, as I understand it, only if they have first complained to the organisation holding their data and not received an adequate result.

And in any case, the complaining individual in this case would not be the OP but the person whose data was sent to the OP.

So no action is needed or possible beyond returning the data and checking someone appropriate in the practice is aware of what's happened.

No drama, no big deal, just an error the practice needs to be aware of

No

I doubt the person's whose notes you've read will feel as charitable towards whoever made this horrendous blunder. I'd be beyond livid. I'm assuming the practice will have a responsibility to inform them.

That makes no sens. Why would they compensate him? Nothing happened his data.

This happened to me when I picked up a pile of reports from my GP. At the bottom, was a fairly specific and detailed medical summary of a person that would have covered every aspect of their health. I called the GP office and let them know and asked them what they wanted me to do with it. They asked me to either drop it to them or destroy it. I put it in the fireplace and it was completely destroyed, so safe from ending up in anyone else's hands. That was the end of it.

Because they could’ve ended up being reported to the ICO and facing some pretty awful punishments. Think the other guy got compensation too

1000% you should. System can’t improve if its failings aren’t brought to the attention of the relevant people.

If you have the other patient’s contact details you should let them know too.

No, this has happened to me. I was delighted that I found out. Equally, I was the recipient of another family’s highly confidential information (Child Protection report). I handed it over to them at their home as it had their address on; their solicitor was very pleased. I hope the family was compensated appropriately by children’s social care. I flagged it up to the local authority’s information officer; I was bombarded with emails asking if I had destroyed the document. I realised that all they were concerned about was not having to report the breach to the ICO. Not about any potential distress or shame to the family. Apparently, if you can demonstrate that any breaches have been mitigated, then it’s not reportable. Sod that. Children and families deserve better.

This didn't happen.

Yes I would report it. I was once sent a lot of highly confidential information from a school to do with SEN and individual children. I reported it to the ICO.

In 2024, the ICO imposed a total of 18 monetary penalties, nearly identical to the number (17) it handed down in 2023.

In 2022, the ICO announced its ‘public sector approach’, an initiative (which was reviewed in the summer of 2024) to only impose financial penalties on public sector bodies in extreme cases

It absolutely did. He still has the emails to prove it.