Web viewReport of Health and Social Care sector Level 2 Information Governance Serious Incidents Requiring Investigation recorded and now closed during. 01

Publication date: 3rd. September 2014

Report of Health and Social Care sector Level 2 Information Governance Serious Incidents Requiring Investigation recorded and now closed during

01 s July to. 30 th .September 2014

Purpose

This is the fourth published report of closed level 21 Information Governance Serious Incidents Requiring Investigation (IG SIRIs) recorded on the IG Toolkit Incident Reporting Tool. This type of report will be published on a quarterly basis as specified in the IG SIRI Publication Statement2.

The report below consists of 62 incidents reported to the Information Commissioner’s Office (ICO), Department of Health (DH) and NHS England (NHSE) by Health or Adult Social Care organisations or suppliers (as advised within the IG SIRI Guidance issued 1st June 2013). It covers IG SIRI level 2 incidents closed during the period of 1st. July to 30th. September 2014, following investigation by the local organisation(s) concerned. It contains the organisation name, date the incident occurred, scale (e.g. the number of data subjects affected presented as a range), a description of the incident and data involved. All information displayed below is as reported by the organisation(s) concerned.

Please note:

A ‘Closed’ incident means that the incident has been investigated by the local organisation and no further action is required unless the ICO make a request.

Closed incidents may still be under review by the ICO and any actions taken will be published on the ICO website.

This report does not include level 2 incidents which are still marked as open and therefore still under investigation by the local organisation.

Any near misses, Level 0 and 1 incidents voluntarily reported by organisations are also excluded as these incidents are not currently being monitored by the Health and Social Care Information (HSCIC) Centre but are useful for gathering intelligence, analysing trends and learning from previous occurrences.

Details of such incidents are held by the local organisations.

Next reports

The next closed level 2 IG SIRI report will be published by the end of January 2015 covering the period October to December 2014.

Closed Level 2 IG SIRIs from 1 st . July to 30 th . September 2014 1 Level 2 IG SIRIs are sufficiently high profile cases or deemed a breach of the Data Protection Act or Common Law Duty of Confidentiality, and hence reportable to the Department of Health and Information Commissioner’s Office. Organisations have used the IG SIRI assessment of severity facility to determine this level and report the incident. Further information on this can be found in the ‘Checklist Guidance for Reporting, Managing and Investigating IG SIRIs’.2 https://www.igt.hscic.gov.uk/resources/IGIncidentsPublicationStatement.pdf.

1

http://www.ico.org.uk/what_we_cover/taking_action/dp_pecr

https://www.igt.hscic.gov.uk/KnowledgeBaseNew/HSCIC%20IG%20SIRI%20%20Checklist%20Guidance%20V2%200%201st%20June%202013.pdf

https://www.igt.hscic.gov.uk/KnowledgeBaseNew/HSCIC%20IG%20SIRI%20%20Checklist%20Guidance%20V2%200%201st%20June%202013.pdf

https://www.igt.hscic.gov.uk/resources/IGIncidentsPublicationStatement.pdf


Organisation Name Date of Closure

Scale of Incident

Details of Incident Data

University Hospitals Bristol NHS Foundation Trust

22-Sep-14

Information about 1,001-5,000 individuals

Diagnostic images transferred to external research agencies are anonymised by removal of patient identifiable tags in the image metadata. This is achieved through use of tools provided by the PACS suppliers, however this does not remove embedded patient data within the image itself because any change to the image file invalidates use of that file for any purpose. It can be achieved manually but this is not usually done due to the time required.Images have therefore been distributed with limited patient identifiable information embedded. But the nature of the files used means that viewing can only be undertaken by specialist systems as used by research agencies, and the information is limited making definite identification unlikely.This practice has continued since digital radiology systems were introduced and radiology estimate for images processed in this way is 3000-4000 in that time.This process is not unique to UH Bristol.

Diagnostic images

HERTFORDSHIRE PARTNERSHIP UNIVERSITY FOUNDATION NHS TRUST

01-Sep-14

Information about 51-100 individuals

Cabinet was labelled to be retained. When staff realised that cabinet had been removed, the builder who removed it confirmed the name and address of the disposal company that it had been taken to. Disposal company confirmed cabinet had been processed and that cabinet had been destroyed. Disposal company confirmed that cabinet was not opened to remove content and cabinet and content was destroyed its totality.

1. Copies of CQC letters that were waiting to be filed (can’t be precise on how many but about 50 copy GP letters) 2. Coroner’s Report copy (xx) 3. All of XXX ADHD client files (including Barclays questionnaires that had been completed) 4. Copies of doctor’s private reports, DVLA reports etc. 5. Copies of

2


prescriptions that have been faxed6. Verification sheets of faxes that have been sent in connection with clients 7. Denzapine file (copies of prescriptions for our clients on Denzapine) 8. Miscellaneous correspondence9. XXX and XXX annual appraisals10. Neb’s private file (courses she has been on – certificates) annual leave/study leave applications etc.

NORTHAMPTON GENERAL HOSPITAL NHS TRUST

30-Jul-14


A member of staff sent an email containing the number of expected deaths that were not recorded on the end of life care register to members of the end of life strategy as requested at the last meeting. The individual thought all the identifiable patient data had been removed but had not. This resulted in personal information about patients who had died being sent to the CCG on named email account

• NHS Number • Patient's full name • Date of Birth • Diagnosis (in a few cases)• Date of Death

BARNET, ENFIELD AND HARINGEY MENTAL HEALTH NHS TRUST

16-Sep-14

Information about 5,001-10,000 individuals

As part of a service reorganisation admin staff has recently moved offices. A filing cabinet containing 27 patient medical records had been left in the vacated locked office in preparation for July outpatient clinics. When the medical records clerk went to retrieve some of the records from the filing cabinet she discovered that the cabinet had been removed. On further investigation she was made aware that the cabinet was removed by an external

Patient medical records containing personal sensitive data relating to their mental health

3


company on the instructions of the Trust'sXXXXXX , on the assumption that the cabinet was empty. The XXXXXX has confirmed that only the top drawer of the cabinet was empty. After an extensive search we are unable to locate the records in any other areas. On initial questioning both parties involved in removing the cabinet confirmed that they had checked that the cabinet was empty, however it has now transpired that neither parties had checked. An investigation is now underway.

CHESHIRE AND WIRRAL PARTNERSHIP NHS FOUNDATION TRUST

07-Aug-14

Information about less than 10 individuals

New employer liability claim form containing details of new claim and DATIX incident form containing sensitive patient mental health information accidentally emailed to member of the public. Email sent to member of the public in error. Human error due the email system storing external email contacts as well as internal contacts. Member of staff thought she was emailing member of staff but selected external contact by mistake. Member of public emailed immediately and they confirmed that they were deleting the email trail. DATIX incident form completed.

Email containing details of new employer liability claim, employer liability claim form and DATIX incident form containing three staff members names, one of which included address, date of birth, national insurance number and occupation. DATIX form also included patient name, date of birth and sensitive mental health information. Email sent to member of the public in error. Human error due the email system storing external email contacts as well as internal contacts. Member of staff thought she was emailing member of staff but selected external

4


contact by mistake. Member of public emailed immediately and they confirmed that they were deleting the email trail. DATIX incident form completed.

NORTHAMPTON GENERAL HOSPITAL NHS TRUST

04-Jul-14


The CCG hold a Serious Incident Assurance Meeting (SIAM) where the Trust presents evidence to demonstrate that the actions from closed Serious Incident investigations have been completed. Following the meeting in May 2014, the CCG requested that the Trust emailed copies of the completed action plans with embedded evidence.

On 16 June 2014, the requested action plans were emailed from the Trust’s standard email address to the Senior Quality Improvement Manager’s standard CCG email address.

The Senior Quality, Risk & Litigation Manager was informed by the Patient Safety Lead at the CCG that in one of the action plans was an embedded Excel spreadsheet which contained details of the following patient information:

• PAS Number • NHS Number • Patient's full name • Date of Birth • Age • Sex • and in very few cases the patient's condition

The Trust does not send patient identifiable data (PID) to the CCG, all information regarding serious incidents is usually anonymised. The action plans are presented by the Directorates with evidence embedded into the document; sometimes this information does contain PID. Although it is

NHS patient identifiable data

5


usually checked by the Governance team, in this case the database was contained in a long trail of emails which had been embedded into the word document and it was unfortunately missed by the team.

CENTRAL AND NORTH WEST LONDON NHS FOUNDATION TRUST

19-Aug-14


On Friday the 20th it was planned to clear two large XXXXX offices in the low secure services. These have been in a poor stare of cleanliness and organisation for a number of years. Given recent staff changes and new appointments due to join the team, clearing this space was pressing. We agreed that therapies staff and associated honorary contracted assistants would clear the offices. Confidential waste was to be placed in bags for shredding and separated from non-confidential papers. Despite the investigation carried out, it is not clear how the confidential papers turned out on the floor near the bins.

Psychological report; confidential file; Psychiatric reports. The papers found were shredded so an exact account of what they contained is difficult.

CORNWALL PARTNERSHIP NHS FOUNDATION TRUST

30-Jul-14


Two Care Plans were required to be given to two different patients. They were placed in the office separately but close by. Staffs were advised to hand them out later. Sometime later they had not been handed out and a member of staff picked up the Care Plans believing them to be one plan and delivered them to the patient named in the top Care Plan.

NHS patient data

IPSWICH HOSPITAL NHS TRUST

27-Aug-14


Car parked on road outside the support worker's house. Realised her bag was missing from the boot of the car. Police contacted. Folder contained paper information relating to 249 patients who have been invited to use the XXXXXX services since 2013.

name of patient, patient's telephone number, name of midwife and expected date of delivery

KENT COMMUNITY HEALTH NHS TRUST

16-Sep-14


Birth notifications were scanned to a multi-functional device, then inadvertently emailed from the device to a third party organisation (not NHS)

The data included medical information regarding mother and baby

6


University Hospitals Bristol NHS Foundation Trust

21-Aug-14


Patient confidentiality breach. Two patients visiting from Vietnam living in same accommodation Have same surname and first name differs by only one letter. Both screened for TB. Both patients have positive Quantiferon test requiring treatment. One patient had deranged liver function; which would be a contraindication to starting treatment without further investigation. Results for patients with deranged blood tests given to patient who was ok to start treatment. This caused distress to the patient but then informed of the error once stopped during consultation and reassured. Treatment options discussed with patient based on results.

Patient informed during consultation that incorrect results had been given due to an error in the correct medical notes being available. Other patient contacted by consultant to discuss error and information release to other patient.

The information was inadvertently disclosed verbally.

St Andrew's Healthcare (Original code of NTY85)

07-Aug-14


Staff data was provided to the potential supplier of the Time & attendance (T&A) system. The provider had not yet been officially awarded the contract for the T&A system but had signed a Non-disclosure agreement. The information was sent by insecure means

Staff data.

LEICESTERSHIRE PARTNERSHIP NHS TRUST

15-Aug-14


The XXXXXXXX removed all deceased patient records from local Nursing Home to take back to base for archiving on 1 May 2014. The (approximately 50 sets) of notes were put into two large plastic sacks labelled - 'NHS Property Domestic Waste Only', and transported to base. The sacks were put behind the administrator’s desk and told that they required archiving. The

Patient held Community Nursing record detailing name, address, date of birth, diagnosis, care plans, assessments and evaluations

7


bags were noted to still be behind the administrator’s desk on 6 may 2014 but on 13 May, it was noted that they were no longer there.On talking to the cleaners, it was determined that the sacks had been put out with the Domestic Waste

NOTTINGHAM UNIVERSITY HOSPITALS NHS TRUST

24-Sep-14


On 9th May 2014 -PALS office received an email from a patient raising concerns that an unauthorised member of Trust staff has allegedly viewed her records and subsequently divulged information to a family member

NHS patient data (including results and demographics) on Trust system (NotIS). Accessed via staff password.

WEST HERTFORDSHIRE HOSPITALS NHS TRUST

29-Sep-14


The Information Governance (IG) department were notified by automated email from SOPHOS as email traffic from the Trust is monitored. SOPHOS identified the email going out into the public domain as unencrypted and containing confidential information. IG informed the Risk & Governance department and the Senior Information Risk Owner.

Detailed clinical information and restricted confidential information from the Parliamentary & Health Service Ombudsman (PHSO)


16-Sep-14


The nurse was not transporting the notebook in accordance with Policy. The notebook was found by a member of the public and handed in to a health centre, where it was returned to the nurse concerned. The notebook was being held in addition to the staff member’s diary.

Patient demographic details / medical information

SURREY AND BORDERS PARTNERSHIP NHS FOUNDATION TRUST

07-Aug-14


A clinical service completed a comprehensive assessment on a child and sent to the Shared Business Services (SBS) in error. The clinical service thought this was the correct address to send the report in order to gain the funding for the assessment. SBS sent the assessment back to the Trust and they have reported this to NHS England.

A comprehensive child assessment

WYE VALLEY NHS TRUST (RLQ)

22-Aug-14


Accidental loss of an unencrypted memory stick containing 50 records of Ophthalmology audit data, with local hospital ID, name and year of birth.Clinical information relating to retinol scans and visual activities and date of treatment.Actual location and time of loss

NHS patient data

8


unknownIncident took place a couple of weeks ago, only reported today following extensive search.Possibility the patient could be identified from data held.Reputational risk if memory stick found by member of the public

St Andrew's Healthcare (Original code of NTY85)

07-Aug-14


Ward Social worker accidentally sent an unprotected safeguarding referral to external source. The document has sensitive information as defined by the data protection act for both patients identified. The error was not identified until 30/4/14. Too late for a document recall. External source contacted who stated that they had immediately deleted the e-mail without reading the document

Patient information. A safeguarding referral.


24-Sep-14

Information about 100,000+individuals

Complainant contacted Human Resources- she had received an anonymous letter alleging that a member of staff had accessed medical records without a legitimate reason to do so.

Medical records

BRADFORD TEACHING HOSPITALS NHS FOUNDATION TRUST

21-Aug-14


An unencrypted email that contained patient data in an attachment was sent to the supplier HSS as part of the testing for the migration of the radiology system. The details of 93 patients were included in the email, ranging from demographic data to copies of detailed clinical reports. There is a contract in place with the supplier to process this information in the course of implementing a new radiology system, however the email was sent unencrypted.

NHS patient data was included in the email which was sent as part of the testing for the migration of the radiology system.The attachment contained a number of sections, five of which included patient data.Section 2: Contained hospital number, surname, forename and date of birth for 9 patientsSection 9: Contained NHS number, hospital number, surname, forename, date of birth, address and

9


postcode for 13 patients. This also contained the same details and date of death for 1 deceased patient.Section 10: Contained NHS number, hospital number, name, address, date of birth and detailed clinical information for 9 patientsSection 12: Contained name, age and gender for 61 patients


16-Sep-14


In contravention of the organisations Information Security Policy / Data Protection and Confidentiality Policy / Confidentiality Code of Conduct, information was sent insecurely to the correct recipient.

The information included patients name, date of birth, diagnosis, Consultant, NHS NO, School, date of last review, Address, Telephone number, Ethnicity, and GP


28-Aug-14


Blocks Solicitors based in Ipswich town centre wrote to the Trust advising they found a neonatal patient list outside their premises. They returned the list to the Hospital in the post. It is believed a member of medical staffing would have this list as part of their role and accidently took it off site.

The list contains information relating to 20 babies. Information includes patient name, dob, hospital number, weight, age in days, medical details e.g. suspected sepsis, medication and tasks for staff e.g. chase magnesium. The list is dated 7 April 2014.

LEEDS AND 22-Sep- Information Letter received by wrong college, Detailed

10


YORK PARTNERSHIP NHS FOUNDATION TRUST

14 about less than 10 individuals

not addressed to a specific person so opened by admin staff. Detailed correspondence relating to a user of the service. Reported back to the service by the erroneous recipient who also confirmed that this was the 2nd time they had received such a letter in error and had previously informed the service of this.

correspondence containing identification / demographic data, and sensitive data concerning the mental health of the service user.

NORTH TEES AND HARTLEPOOL NHS FOUNDATION TRUST

11-Jul-14


A call was received from a neighbouring Trust to say that a document containing information including patient names and dates of birth and dates of dental appointments/other dates had been found in a Community hospital car park. Data from the document was read out over the phone, and confirmed the document was one used within the Community Dental Service

List of patients includes Name, DOB, and referral to treatment, appointment dates and length of appointment.

THE ROTHERHAM NHS FOUNDATION TRUST

21-Aug-14


Letters posted in a windowed envelope instead of a plain brown envelope with self-adhesive label. This then got sent through the normal post route instead of the courier service. The letters had been stapled together and showed the patient name at the top instead of the GP Practice.

Patient data including diagnosis results.

Norfolk Community Health and Care NHS Trust

26-Sep-14


NCH&C are commissioned to provide an IT service to North Norfolk Healthcare CIC (referral management centre). North Norfolk Healthcare CIC requested a copy of patient data base held for their locality from NCH&C. The information was extracted and encrypted and then given to North Norfolk Healthcare on a password protected USB stick. On receipt of the data North Norfolk Healthcare CIC identified the existence of data not belonging to them and immediately informed NCH&C via the SIRO. Further analysis revealed files for West Norfolk and South Norfolk had been provided in error. The USB was held in a safe place and immediate arrangements were made to retrieve it and securely delete the information which should not have been disclosed.

The information consisted of referrals from GP's and other primary care services. The information would be sensitive personal data on patients and would contain some staff information from the referrer which would consist of the professional's name, work address and telephone number.

Norfolk 19-Sep- Information A member of staff visited a The information

11


Community Health and Care NHS Trust


patient in their own home to administer IV antibiotic therapy. After leaving the patients property and returning to base the nurse realised they had left a document at the patients address. The document contained the name, telephone number, address, treatment regimen and details of the underlying condition for 8 patients also receiving treatment by the IV therapy team. The staff member telephoned the patient who confirmed they had found the document and on reading it, placed it with their own patient held record for collection by the team. The staff member immediately returned to the premises to collect the document and apologise to the patient. The NCH&C Trust Policy precludes the use of handover documents away from base. The staff member had completed their mandatory Information Governance Training programme within the previous 12 month period. .

constituted referrer details, patient name, full address, telephone number, hospital number, intervention, medication, five patients had diagnosis linked to the medication and three patients had clinical readings such as blood pressure, temperature and pulse recorded against their name. Four patients had future clinic appointment times and dates beside their name.


16-Sep-14


Request was received from the local authority for a case conference report for a child. The service had not seen the child for a while, but compiled the report and as was usual practice, sent a copy to the parents to the address that they had on record. The address that was on record was not correct, and although the service checked on their system and the National Spine, the service did not check that this was the same address that was on the request for the information.Although the report was sent private and confidential, with a return address on it in case of wrong delivery, the recipient at the wrong address opened the report.

The young person's name, d.o.b, gender, ethnicity, NHS number, GP surgery and address. There was also information about height and weight measurements, immunisation status and 2 A&E attendances. There was also the mother's name d.o.b, gender, ethnicity, relationship to child and address.

UNIVERSITY HOSPITALS OF MORECAMBE BAY NHS TRUST

28-Jul-14


Patient's partner read the Parental Vulnerability Documentation (Cause for Concern) regarding his domestic violence and controlling behaviour as the patient's

Medical Records

12


hospital notes were left in the delivery room.

Croydon Health Services NHS Trust

29-Sep-14


Patient A , got home and discovered she had a discharged letter belonging to Patient B. Concerned about delays in Patient's B care, the discharged summary was sent to the GP address by Patient A, using information in the letter.

Full Patient demographics, Diagnosis, GP contact details. Details of medication


03-Jul-14


An email was received from a patient's parent informing us that they had received a letter addressed to a local Doctor in regard to another child. This letter had been attached to the back of a letter correctly addressed and intended for this patient's parent

Letter contained patient demographicsand medical condition of the child/patient.

LANCASHIRE CARE NHS FOUNDATION TRUST

24-Jul-14


A set of health visitor notes were found by a member of the public and handed into the local public library. The library staff contacted the health Visitor service and the notes were collected and returned to the Trust site. The notes were checked and were found to be complete.

Full names/DOB of both parents, addresses, NHS no’s, health visitor assessments and action plans, mood assessments and birth details.


28-Aug-14


handover list from child health handed into South Reception

patient name, hospital number, dob, admission date, medical condition e.g. tonsillitis, investigation summary e.g. MRI, treatment summary e.g. physio

HEART OF ENGLAND NHS FOUNDATION TRUST

14-Aug-14


Further patient informed Trust of suspected unauthorised access of records. Audits ongoing to determine scale of access.

NHS patient data

THE ROTHERHAM NHS FOUNDATION TRUST

21-Aug-14


17 letters were incorrectly placed in windowed envelope instead of a plain brown one with sticky address label.This resulted in the letters being posted to the person shown on the window portion of the envelope.

Name, Address, discharge/outpatient details.

HEART OF ENGLAND NHS FOUNDATION TRUST

12-Aug-14


Patient contacted with complaint regarding alleged inappropriate access to his medical records by a member of staff.

NHS Patient data

ROYAL DEVON 22-Sep- Information Cafe staff member noticed Patient data:

13


AND EXETER NHS FOUNDATION TRUST


document left on counter and took it around to Health Information Centre (HIC). HIC contacted IG team. Speculate that staff member left Oncology MDT meeting, ordered drink in cafe and inadvertently left documents on counter.

Five sheets of A4 containing details of 46 patients. Name, date of birth, hospital and/or NHS number, summary diagnosis.

Risk of unauthorized access to PID.

Name, date of birth, hospital and/or NHS number, summary diagnosis.

BIRMINGHAM WOMEN'S NHS FOUNDATION TRUST

18-Jul-14


The usual practice is for the Clinician to collect a Dictaphone from the secretary. All Dictaphones are named and annotated with a label. The clinician should sign for that particular Dictaphone in a diary kept by the secretary. At the end of the clinic, the Dictaphone should be put into an envelope, annotated with the clinic name, date and dictating clinician, and left with the notes from that clinic to await collection from GOPD by the secretary. Some clinicians will return the Dictaphone/clinic notes to the secretary in person, but not all.

Information on the Dictaphone would have been regarding their last visit to the consultant - Gynaecology


07-Jul-14


The emails were sent on 4 separate occasions, via a secure encrypted email, to a recipient of the same name as the intended recipient. Each contained patient and staff data. The emails have since been deleted and further risk to breach mitigated.

Caseload summary information for 85 patients (not full clinical record)Staff sickness/absence returns for 12 staff (internal documentation)

ROYAL DEVON AND EXETER NHS FOUNDATION TRUST

22-Sep-14

Ward waiting room used by staff and visitors/patients. Two copies of ward handover sheets inadvertently left in waiting room.

Details for 41 patients include name and date of birth (some with hospital or NHS number), summary diagnosis, investigation results, clinical plan of action and bloods.

Name and date of birth (some with hospital or NHS number), summary diagnosis, investigation results, clinical plan of action and bloods.

14


Risk of unauthorized disclosure of PID.

NHS NORTH OF ENGLAND COMMISSIONING SUPPORT UNIT

17-Sep-14

The Finance team continued processing the invoices to keep the system moving between April and July when the processing stopped due to workload. Finance staff would not be expected to fully appreciate the nuances of the DPA in that holding the data constitutes processing. Also the organisation was unsure as to the direction of travel in terms of invoice validation, which NHS England did not confirm until late 2013 when the s.251 application for invoice validation was approved and they issued guidance. As a result the CSU is in the process of setting up a Controlled Environment for Finance (CEfF) in which invoices can be validated lawfully. The scale of this situation and the level of PCD involved were brought to the attention of the CSU IG lead (Senior Governance Manager) at 4pm on 30 January 2014 by the Head of Commissioning Finance and this was immediately reported on the organisation's incident reporting system by the IG lead. Also, the Caldicott Guardian and Director responsible for IG were informed by email. The Managing Director was informed verbally. On 31 January the organisation's SIRO was informed and a face to face discussion was held between the IG lead, Director and SIRO.

Paper invoices containing PCD held in the CSU, in a locked cupboard in a secure environment (swipe card access to office).


03-Jul-14

A patient contacted PALS to say he had received his final discharge letter and also enclosed in the envelope were letters on 2 different patients. The letters were intended for the patients’ GPs and contained both demographic and medical information. Normal procedure is that letters are folded and posted singularly- in this instance letters appear to have been folded as a 'group'

Discharge summaries (Letters intended for the GP detailing procedures the patients underwent)

DEVON PARTNERSHIP NHS TRUST

10-Sep-14

Member of staff accessed records relating to a relative on two occasions without legitimate authority and in breach of Trust

Full Clinical record. Individual has access to the

15


policies and Data Protection Act 1998

Trust records system.

ROYAL CORNWALL HOSPITALS NHS TRUST

10-Sep-14

A disk (origin unknown) was sold on eBay by a member of the Radiology Dept. Although an attempt was made to cleanse the data it was recovered by the person who bought the disk. The buyer contacted us and we agreed for the disk to be returned to us. On examination the following data items were recorded.ForenameSurnameDate of BirthAddressHospital NumberRadiological examinationThere was also a tag which identified the origin of the Trust taking the images.

ForenameSurnameDate of BirthAddressHospital NumberRadiological examination


24-Jul-14

Approximately 100 questionnaires have been reported missing which contain personal, health and social information relating to year 9 pupils at a college in Lancashire. The information is collected and used to deliver the School Nurse Service by the Trust. These questionnaires provide an opportunity to enable pupils to access school nurse support. The loss of the questionnaires was confirmed 6th January 2014 when the college re-opened after the Christmas break

Questionnaire data

SOUTH TEES HOSPITALS NHS TRUST

22-Aug-14

District nursing diary relating to the year 2013 was stolen from the boot of a district nurse's car.

Patient first names and surnamesAddressClinical condition prompt words

OXFORD UNIVERSITY HOSPITALS NHS TRUST

07-Jul-14

The file names were correct but the content was patient level data for another CCG. The files should not have contained any patient identifiers, but due to the issue the files were transmitted with MRN and NHS numbers. Total patient records 6,929 (NOT ALL PATIENTS IDENTIFIABLE). Breakdown as follows: 6,711: MRN + NHS102: MRN + SEX + DOB +

Total patient records 6,929 (NOT ALL PATIENTS IDENTIFIABLE). Breakdown as follows:6,711 : MRN + NHS102 : MRN + SEX + DOB + FORENAME +

16


FORENAME + SURNAME57: MRN + SEX + DOB + INITIALS24: NHS only21: MRN only9: MRN + DOB + FORENAME + SURNAME5: MRN + DOB + INITIALS

The files were sent to 186 CCGs (secure email addresses) but from an OUH email address (as the data was thought to be anonymised and therefore encryption was not required).

SURNAME57 : MRN + SEX + DOB + INITIALS24 : NHS only21 : MRN only9 : MRN + DOB + FORENAME + SURNAME5 : MRN + DOB + INITIALS

North Somerset Community Partnership CIC (NLT)

18-Sep-14

Bank nurse reported her diary was stolen from the boot of her car during the course of 14/15 December 2013. The diary potentially held at least 95 patients personal information. Visit information (consisting of patient name, address, postcode, reason for visit and a key safe code (if appropriate)) disclosed during the course of the telephone call to the nurse from the office potentially written in to the diary.

As mentioned above information contained in the diary prior to any telephone calls taken during day's visits for example, name, road name, full postcode.

The data obtained from telephone call is patients name, address, postcode, reason for visit and if applicable key safe code.


22-Aug-14

Annotations to handover sheet made printed information more identifiable. Procedure for secure disposal of identifiable information not followed.Little risk that the information had been seen by any member of the public

Patient first name annotatedPatient surname printedLimited clinical information


27-Aug-14

A total of 71 printers had left the Trust for recycling at the beginning of November. The third party provider alerted the Trust to the patient records on 21/11/13. The printer in question has been traced back to the XXXXXXXXX office - it appears they re-use paper where one side is blank.

A total of 154 patients details have been breached - including

Name, dob , NHS number, hospital number, cancer treatment, diagnosis, MDT notes, outcomes

17


name, dob, diagnosis, MDT notes


07-Jul-14

An envelope containing two sensitive pieces of post, one being a paediatrics report (child abuse medical) was sent through the internal post instead of externally. The envelope would have been franked with a return address if it had gone externally. The envelope was subsequently sent outside the organisation to the wrong destination (a social care organisation), and was opened by persons not authorised to see the information. The two pieces of information were then sent back to this organisation

NHS patient data including a report on a child abuse medical


22-Aug-14

It is believed that these were stolen from the car of a consultant who lived nearby.

A mix of a 28 sets of full patient notes / radiotherapy notes relating to a total of 24 patients.

CHESTERFIELD ROYAL HOSPITAL NHS FOUNDATION TRUST

09-Sep-14

It was reported at 2.30 pm on Friday Oct 11th 2013 that it was believed a community nurse's case with four sets of patient notes had been mislaid, last known sight on Wednesday evening, 9th October 2013Following investigation which included a review of CCTV footage, and staff member's discussion with neighbours it is now felt likely that the case was stolen from outside their house on Thursday morning.The case was locked at the time of loss/theft.A further review of the office filing cabinet where the files are stored revealed that there were actually 7 sets of patient notes involved; Plus 3 work diaries. These all contained patient information.

7 Paper files containing NHS patient data; sensitive, personal and confidential information about the patients.3 work diaries containing personal information, dating from 2010.All data was in a locked, heavy duty case at the time of loss/theft.


03-Jul-14

Patient contacted a known nurse and said that she believed a member of staff had accessed her medical information and passed details to a 3rd party as the 3rd party knew information that they could not have known otherwise. Patient gave a name and department of the staff

Details of the information disclosed not known at the moment

18


memberSURREY AND BORDERS PARTNERSHIP NHS FOUNDATION TRUST

13-Aug-14

The fax included demographic details Name, Address, DOB and NHS Number. The fax was sent to a private company. The fax also included reason for referral (as an acronym) and confirmed the person was known to services in a previous year. The company was contacted and was assured the fax had been shredded. The person who uses our services has been notified.

Name, Address, DOB and NHS Number. The fax was sent to a private company. The fax also included reason for referral (as an acronym) and confirmed the person was known to services in a previous year.


24-Jul-14

The school Deputy Head Teacher was reorganising his office and discovered these items when disposing of the filing cabinet. His office was always locked when not attended as it used keypad access, and the cabinet itself was kept locked, although the key was left in the lock.On discovering these items he contacted the CaSH team Leader at Petre Court who instigated the investigation and incident reporting.

Sexual health individual records, family planning clinic cards, new patient book & patient appt book.

SURREY AND BORDERS PARTNERSHIP NHS FOUNDATION TRUST

07-Aug-14

An email was received from a person who uses our services; within the email was information about them which included their name, home address, NHS number and his health information. The Governor was contacted within 30 minutes of the incident happening by the Assistant CE and asked to delete the email, it was confirmed that it had been deleted.

Name, home address, NHS Number, mental health information about the person's care


07-Jul-14

The parents of the child had explained at an appointment in February 2013 that they did not want the referral to CAMHS to be disclosed to the child's school. This was not written on the child's health record by the Kent Community Health NHS Trust (KCHT) member of staff. On 2nd April 2013, CAMHS sent a letter to KCHT advising that they were unable to accept the referral but would recommend that support for the child's issues

A referral letter containing:Name of the childNHS numberDate of birthAddressGPSchool

The letter contained the fact that the child had been

19


be accessed via the school by the completion of a common assessment framework. As the dissent was not recorded in the child's health record, the KCHT member of staff copied the school into the letter from CAMHS in the best interests of the child

referred to CAMHS and the reason why


15-Jul-14

On 15th April 2014 a patient telephoned and voiced concerns to the Administration Manager that a member of staff (who is his partner) had gone through his clinical records and also the records belonging to his brother without consent. The patient stated that this occurred in May 2013 . Patient was asked to put the complaint in writing.

clinical records


26-Aug-14

It was brought to the attention of member of staff B's manager on XXXXXXX by the service's manager as patient A had disclosed to her recently in a therapy session.Within the therapy, patient A claimed that member of staff B had used the information from his records against him over a period of time.

Clinical Records (mental health)

Derbyshire Healthcare NHS Foundation Trust

08-Sep-14

Staff member GG contacted the Records Management dept. on 16/04/14 to enquire if we could check if anyone had accessed her service user electronic record. An audit report showed that a work colleague had accessed this record and read 11 reports/entries etc between XXXXX Aug 2011

NHS electronic patient record- no clinical details but clinic attendance and appointment letters.

Information Governance Assurance Directorate

External IG Delivery Team

Health and Social Care Information Centre

20

Documents

Web viewReport of Health and Social Care sector Level 2 Information Governance Serious Incidents Requiring Investigation recorded and now closed during. 01