Health firm gets 200k slap after IVF patients’ data leaks online (The Register)

A private health firm has been fined £200,000 after fertility patients’ confidential conversations leaked online.

The £200,000 monetary penalty was levied following an Information Commissioner’s Office (ICO) investigation into the way the Lister Hospital was transferring, transcribing and storing recordings of IVF appointments.

Problems were discovered in April 2015 after a patient discovered that transcripts from interviews recorded with Lister Hospital IVF patients could be freely accessed by searching online.

A subsequent investigation by data privacy watchdogs revealed the hospital had been routinely sending unencrypted audio recordings of the interviews by email to a company in India since at least 2009, six years prior to the probe. Private conversations between doctors and various hospital patients wishing to undertake fertility treatment were transcribed in India and then sent back to the hospital.

Worse yet, the Indian firm stored audio files and transcripts on an insecure server, leaving the confidential data accessible to world+dog.

HCA International breached the Data Protection Act 1998 by failing to ensure that their sub-contractor acted responsibly, earning them a heavy fine along with a public rebuke from the ICO.

Head of ICO enforcement Steve Eckersley said: “The reputation of the medical profession is built on trust. HCA International has not only broken the law, it has betrayed the trust of its patients.

“These people were discussing intimate details about fertility and treatment options and certainly didn’t expect this information to be placed online. The hospital had a duty to keep the information secure. Once information is online it can be accessed by anyone and could have caused even more distress to people who were already going through a difficult time,” he added.

HCA International already had appropriate safeguards in place in other areas of its business. “The situation could have been avoided entirely if HCA International had taken the time to check up on the methods used by the contract company,” Eckersley concluded.

The General Data Protection Regulation (GDPR), the new data protection law coming into force in the UK in May 2018, will strengthen the ICO’s powers to fine companies. Fines of up to four per cent of a company’s global turnover could be issued where a serious breach of data protection law has occurred. ®

Source: SANS ISC SecNewsFeed @ February 28, 2017 at 06:15AM