What would you do if you got a copy of someone else’s confidential GP records

[Twinkletoesandspaghettios]

No poll just wondering exactly what you would do?

The summary care report was in with mine and had name, address, DOB, full medical history including details on social services and CAMHS involvement

Exactly
Even the one genuinely awful breach I reported, where someone's life was actually profoundly harmed, the ICO didn't do anything (they did praise how swiftly and robustly I took action on learning of the breach )

I think people have a lot of misconceptions about what the ICO can and will do

The best thing op can do is leave the paperwork unread and return it.

We all have a duty to take data protection seriously and it's op turn to show that now

Yes, and the newspapers, the PM, the pope and the local flaming torch and pitchfork brigade.
It’s a mistake, a serious mistake. It is not the end of the world, though, and does not need to be blown out of proportion.

I'd take it back to the surgery.and forget about it. Accidents happen

I got a hospital letter containing a letter for another patient, it contained a lot of confidential information. I contracted her GP practice so they could let her know.

That isn’t treating it seriously. They need to create a picture and can’t if incidents aren’t reported.

It could be the end of the world for some hence it being classed as a serious breach.

Yes, and sadly the ICO have created this misconception themselves. I remember when they launched the GDPR rules in 2018 it was very much posed as You MUST obey or there will be serious consequences etc The ICO also came out swinging with promises and threats of action they'd take.

They set up this misconception that they'd be fighting for everyone's data rights and rather like the wizard of Oz, there's actually nothing behind the curtain apart from someone at a desk with a biro. Thats it.

Contact the Data Officer at the organisation(hospital?) it came from. There will be a process for dealing with such incidents including notifying the other person and self reporting to ICO. NHS contract out their correspondence in many cases and it won’t be the first or last time.

Talking about MN er response. There would be pitch forks waving and zero understanding if a school did similar . The NHS seem to be allowed to do what they like by some. It’s not ok.

At the end of the day it’s not a choice if a school
or GP practice do it, it has to be reported.

But those in the NHS have to report data breaches regardless and have signed to say they have undertaken training to do just that.

It was the end of the world for me and my father's breach and ICO still did nothing at all. They never even got back to me.

I am not saying dont report, I am saying dont expect that anything will be done.

I can promise you it wont. Report all you want but absolutely nothing will happen as a result. Its like reporting into a void

Stop reading.

Contact whoever sent me them to ask what they wanted me to do.

Presumably either return them to sender / or shred them, depending on their instructions.

If they didn’t give me instructions, and assuming they were copy documents and not important originals, I’d shred them.

I don't think I'd want a stressed receptionist to lose their job over it. Or a GPs practice to be fined when they are already under a lot of pressure.

I had someone else's results letter attached to my file once, which I could see in my account online.

I rang the GP surgery to let them know straight away. Firstly, because I shouldn't have been able to see someone else's private information. Secondly, because my results letter wasn't on my file so presumably someone else was looking at it in their account.

I also told the individual whose letter I'd seen so they could raise with the surgery.

This was a fair few years ago, and it was the GP surgery uploading letters to the online thing. I know it's done directly by hospitals etc now so less straightforward.

Yes same, wouldn't do anything else

I informed them that I had someone else’s notes, they asked if I had read them - well duh! How else do u know they’re not mine? I returned them the next day, but kept proof of my email and phone call to them about it. Sure enough, I was being sued a few days later for a data breach. Sent my evidence to them and had no more about it.
Considered counter sueing but figured it was just someone who made a mistake.
Spent the next 6 years (and beyond) untangling it - this other woman has a similar NHS number to my own so 1/2 of “my records” are actually hers. It’s a clerical error and everytime I have to go the gp I have to start with “this is not x nhs number, so please ignore any references to y you see in the notes as they are not mine” still trying to untangle them now…

I once received an outpatient clinic list of about 20 patients under my local hospitals neurologist department, all their personal details (address, contact numbers, DOB), the dates and times of their appointment, their diagnosis, their previous treatments, upcoming procedures and their medications.

I called the Neurology team and explained what had happened and they were mortified.

I sent it all back via recorded delivery.

I know the team well as I’ve been under them for over 15 years myself, and I also work for the same NHS Trust so I know how much of a huge deal it is, and I trusted they would handle the error appropriately regarding breach of confidentiality procedures etc.

I didn’t make a huge drama of it myself though. I knew the person who had made the error would be in enough trouble and be feeling absolutely terrible about what had happened without me adding to it.

I just wanted to add that I didn't report the data breach to anybody else, just the GP surgery. Nor did the chap whose letter I had. The surgery manager was mortified and very apologetic. We didn't want people to get in trouble, just to highlight the issue, have it rectified and them sort their procedures to prevent a reoccurrence.

Neither of our results letters were for anything deeply serious or embarrassing. If the circumstances were different then we may have addressed it differently.

Yes!

I’d want it treated seriously and for it to be reported. You don’t do training just to ignore it. Not all GP records are the same. Some people would be devastated hence it being classed as a serious breach.

Did you see my posts above about how the ICO ignored my father's devastating serious breach?

I also frequently found patient lists which detailed patients names, NHS numbers, date of birth and a quite detailed overview of their medical issues, DOLS etc in my dads things when he was in hospital for a while because staff would just leave them laying about and he'd pick them up. He has dementia so had no idea what they actually were. I raised it multiple times but nothing ever changed. Literally the day he was discharged there was a bundle of them on his table with his newspapers.

Just because they’d didn’t get back to you doesn’t mean it wasn’t dealt with. Even if just a note is kept to see if there is a pattern it needs to be reported. It’s not a choice anyway.

This happened to me 16 years ago. I was reviewing my paper records before sharing them with my life insurance.
Turned up at Dr's and started reading a random page which was from when I was a teen. It was discussing an abortion and sexual assault that never happened to me.
I told the dr this wasn't my records and he insisted it was- the paper had my initial and surname and address at the time of the record. I realised it must be my sister who shared the same details and eventually found a reference to the patients dob which was hers. The Dr was very nonchalant about the whole thing and said they would check the records and sort it out.
I let my sister know, but not what I had discovered about her, just that our records from the time had been mixed together.
I still worry there is some kind of mistake or that this is why her life altering diagnosis was missed for so long.