What would you do if you got a copy of someone else’s confidential GP records

[Twinkletoesandspaghettios]

No poll just wondering exactly what you would do?

The summary care report was in with mine and had name, address, DOB, full medical history including details on social services and CAMHS involvement

That’s not how it works, I’m afraid he told you a porkie. A fine isn’t issued just because of an error. Systematic errors, failure of procedures, lack of adequate procedures, ongoing inadequate security, inadequate training, basically things other than human error, would be needed to mean a fine was possible, unless that human error had resulted in pretty damned serious harm. Especially if this was pre-GDPR enforcement, when the ICO was fairly toothless.

This happened to me. A letter for another patient got uploaded onto my nhs portal from the gp. I called them, told them there was a data breach and that they needed to remove it. It was done within minutes and they thanked me for letting them know.

Just to add, the organisation would be expected to report to the ICO anyway, paying data subjects off to avoid reporting IS something that could result in a fine! Most reports are basically just acknowledged by the ICO and go on the company’s near miss register or internal reporting of breaches, because most breaches are minor.

Personally I’d want to know if my records were shared, and hope whoever had read mine would forward those onto me so that I can decide what I want to do

He didn't get a 50k loan written off because he was sent someone else's house deeds.

If you are going to embellish, at least make it remotely believable.

Because before the digital days, written house deeds were proof of ownership and if he kept the deeds it could have caused massive problems up to and including him claiming ownership.
The loan write off was probably a thank you for just returning them.
I know this partly because when we brought our last house, it was built in 1790 was not land registered and ownership proof had to be provided for every sale since that date to show that the owner had the right to sell it. We now have some wonderful hand written house deeds but now it’s all electronic and this isn’t needed anymore

£50 is a thank you. I think you have mixed up the decimal point.

This. the once that you know about may not be the only time it has happened.

It’s such an easy mistake to make. If it were my records (provided it didn’t end up online or copies being made) and it was handed back to the surgery I wouldn’t even want to be told

Yes, it is easy, which is why they should be checking more carefully. But I agree that more awareness and training is more useful to the organisation than a huge fine.

I work in the NHS.

I have been sent, in error, a patients notes with identifiable information on.

I immediately reported this via IR1 System (incident reporting system) and also emailed the Trust’s Information Governance team with the details.

I then deleted all traces of this patients notes from my computer. (Someone had scanned the notes and sent them to my email address in error).

Yes - this is a requirement. As well as contacting the surgery and arranging safe return of the notes. I would tell the ICO in case the surgery didn't.

The threshold for reporting to the ICO is actually pretty high. Organisations are supposed to risk assess each situation to decide whether or not a particular breach meets that threshold.

Most breaches don't need reporting. On the one occasion where I thought the risk was high enough to be reportable, the ICO did not agree and they told me that it hadn't been necessary to report.

In answer to the OP's question, I would report the breach and and comply with whatever instructions they gave me about deleting the data.

You should inform the team who sent it to you. They should report it via an incident form and investigate how this happened. They will also need to inform the patient whose information was shared It will be reported to the Information Givernance team. Learning will come from this.

The ICO would not issue a fine in this situation.

Quite. As if they’d write off a £50k loan in any event

Blimey, that was a lucrative (for your Dad) balls-up by the bank! I suppose the person whose deeds he got never knew about it…

"Because before the digital days, written house deeds were proof of ownership"

But you said he still has the emails, so this isn't from a pre-digital time! There's no way a bank wrote off a 50k loan AND gave compensation for accidentally sending a set of deeds. Banks don't throw away that kind of money as a thank you!

What were they compensating him for? His data wasn't breached.

Exactly. Your dad’s been pulling your leg I fear.

A £50k loan written off AND compensation!

Wonder what the other guy got?

The tale about them doing it because they’d have got hammered by ICO makes no sense as that could still have happened anyway. You can’t buy people off reporting data breaches.

Don't be ridiculous.

I’m not. I did it. Why is it ridiculous? It happened to me. I would have loved for the other party to notify me.

Medical records are boring as fuck, I wouldn’t read them.

my experience was a bit worse, in that someone accidentally put a record meant for someone else in my medical records. J found out through a SAR. They said the practitioner no longer works there but I can’t recall if they actually removed the info from my records. It was basically saying “patient was talking about his son” when I am female and in my 20s without kids, so it clearly wasn’t about me.

Just give it back, to be honest. I wouldn't read it.

I would contact them and inform them. In my NHS org we (as staff) would have to report it as an data breach to IG (Information Governance) who would investigate and ensure systems are in place to prevent a repeat. This is something I feel the NHS deal with well as there is very much a no blame culture (unless it was malicious / deliberate) and the investigation is about solutions, improvements and mitigation rather than discipline.