Information Governance Incidents

Contents

Introduction 3

Content of the report 3

Next report 3

Closed level 2 incidents reported during 1 October to 31 December 2015 4

Appendix A 20

Incidents closed using the ‘auto closure’ facility 20

Introduction

This is the fifth published report of closed level 2 Information Governance Serious Incidents Requiring Investigation (IG SIRIs) recorded on the IG Toolkit Incident Reporting Tool. It covers IG SIRI level 2 incidents closed during the period of 1 October to 31 December 2015, following investigation by the local organisation(s) concerned.

Content of the report

The report consists of 35 closed incidents reported to the Information Commissioner’s Office (ICO), Department of Health (DH) and NHS England by Health or Social Care organisations or suppliers - as advised within the IG SIRI Guidance issued 29 May 2015.

The report contains the organisation name, date the incident was closed, scale (e.g. the volume of data subjects affected presented as a range), a description of the incident and data involved. All information displayed below is as reported by the organisation(s) concerned. Where necessary, personal information included within the incidents has been redacted.

An auto closure feature introduced in June 2015 closes all open incidents that have not been updated by the organisation for 90 days[1]. In Appendix A are 56 incidents which have been auto-closed by the system.

Please note

· A ‘closed’ incident means that the incident has been investigated by the local organisation and no further action is required unless the ICO makes a request.

· Closed incidents may still be under review by the ICO and any actions taken will be published on the ICO website.

· This report does not include level 2 incidents which are still marked as open and therefore are still under investigation by the local organisation.

· Any near misses, Level 0 and 1 incidents voluntarily reported by organisations are also excluded as these incidents are not currently being monitored by NHS Digital but are useful for gathering intelligence, analysing trends and learning from previous occurrences. Details of such incidents are held by the local organisations.

Next report

The next closed level 2 IG SIRI report will cover the period 1 January to 31 March 2016.

Information Governance Incidents

Closed level 2 incidents reported during 1 October to 31 December 2015

ID / Organisation Name / Date of Closure / Volume / Incident Details / Data /
IGI/4933 / KENT AND MEDWAY NHS AND SOCIAL CARE PARTNERSHIP TRUST / 29-Dec-15 / 132 / Email sent from KMPT staff member to CCG which included an attachment. Attachment included number of data fields however, NHS number was included which resulted in the patients being potentially identifiable at the CCG inappropriately. KMPT staff member sent e-mail believing the information contained therein to be anonymous. Staff member did not realise that NHS number was identifiable data field and was using the spreadsheet as an example of the data which would be helpful from that CCG going forward in relation to a specific patient group. Attachment related to 132 different individuals. The only identifiable field within the spreadsheet was the NHS number. On receipt, the CCG realised the error and deleted the spreadsheet reporting the matter to the Trust. / NHS Number, PAS Number, Age, Provider Placement Details, High level diagnosis information and financial information relating to placement
IGI/4821 / SOUTHERN HEALTH NHS FOUNDATION TRUST / 08-Dec-15 / 20 / Community HCP appointment diary returned to reception by member of the public having been found in road. A Community HCP placed diary on top of car whilst sorting out bags etc. Drove away and diary dropped off roof of car. HCP was unaware of this. A member of the public handed the diary in at office reception. Diary still had elastic band holding it together and nothing was missing. / Diary contained appointment times and full names for approximately 20 service users with some postcodes.
Referral paperwork (p1) contained name, DOB, NHS number, address and telephone number (sensitive information).
Hand written notes (P2) with name at top of paper, but no other PID, no sensitive information.
Hand written note (P3) with a first name only, no other PID plus a carer’s first name and address.
IGI/4729 / SOUTHERN HEALTH NHS FOUNDATION TRUST / 01-Dec-15 / 30 / Member of staff used Outlook email to communicate patient sensitive information, and sent it to the wrong individual via NHSmail.
· Email sent was a conference call sheet that contained the following PID – 16 Patient names – First name and surname – Each patient had sensitive data recorded regarding their current care in the form of current situation column and also an action taken column.
· Email sent was a conference call sheet that contained the following PID – 14 patient names – first name and surname – Each patient had sensitive data recorded regarding their current care in the form of current situation column and also an action taken column.
· Email sent contained – delayed transfers – this contained no PID.
· Email sent – Discharge Planning Themes report – contained no PID.
· Email sent – funding – contained no PID.
· The total amount of patient names that were sent in the two emails is 30 names and each name had sensitive data recorded against them.
The emails were sent via Outlook email to NHS net and the wrong recipient on NHS net received them. / 30-patient names in two emails – First name and surname – Each patient had sensitive data recorded regarding their current care in the form of current situation column and also an action taken column
IGI/4694 / NHS Wirral CCG / 02-Dec-15 / 35 / Box of 35 Continuing Health Care (CHC) paper files has gone missing.
23 Patients are alive, 12 Patients are deceased. CHC files were stored off site, once the cases were closed, with a third party company in 2013. One file is now needed from one box. Third party company say they do not have the box. / Continuing Health Care (CHC) 35 patient paper files.
IGI/4727 / BARNET, ENFIELD AND HARINGEY MENTAL HEALTH NHS TRUST / 23-Dec-15 / 1 / Letter meant for individual posted to address next door in error following discharge from Barnet Complex Care Team individual contacted the Associate Mental Health Worker to report that the discharge letter, written by the Clinical Psychologist, had been delivered to and opened by her neighbour. Preliminary investigation has revealed that the administrator had hand written the wrong door number on the envelope. The envelope did state that the contents were 'private and confidential' and there was a returns address on the back of the envelope, despite these safeguards the neighbour opened the letter. / The letter contained detailed information relating to individuals mental health
IGI/4824 / EAST KENT HOSPITALS UNIVERSITY NHS FOUNDATION TRUST / 09-Dec-15 / 1 / Letter within window envelope was misfolded revealing the nature of the addressee's medical condition as well as his name and address. Human error led to a letter being sent misfolded inside a window envelope by Royal Mail. The window then displayed not only the recipient's details but also that the letter was copied to specialist nurse for a particularly sensitive medical condition. / NHS Patient Data
IGI/4776 / Buckinghamshire Healthcare NHS Trust / 09-Dec-15 / 1 / One patient's information was sent from GUM clinic to GP but upon checking, Trust staff had been given the wrong fax number by the GP practice and the fax was received by a local company. Incorrect fax number given out by GP practice resulting in fax containing PID being sent to outside company. A member of staff from that company immediately contacted the Trust with assurance that the fax had been confidentially destroyed. The affected patient was informed and was satisfied that the fax had been destroyed. GP surgery was asked to amend the fax number shown on their list to avoid a similar incident happening. / Full name, hospital number and address and results of sexual health services visit.
IGI/4559 / CORNWALL PARTNERSHIP NHS FOUNDATION TRUST / 11-Dec-15 / 12 / On the 22/10/2015 Multi-disciplinary team (MDT) meeting minutes were sent via un-secure email to an incorrect distribution list. Data relates to a team meeting involving clinicians from different organisations.
MDT meeting minutes included referral data for 12 individuals, including their name, date of birth, presenting/historic medical condition and recommendation from the MDT. This information was sent via un-secure email to a contact list of 41 individuals. It was a group email to 41 individuals containing 3 sets of meeting minutes along with a re-launch meeting minute.
Email from Clinician requesting everyone to delete the previous email as realised there had been an error. Email generated by email system stating '#### ##### would like to recall the message, "Re ### MDT meetings".'
Incident reported on Trust Incident reporting system. / MDT meeting minutes included referral data for 12 individuals, including their name, date of birth, presenting/historic medical condition and recommendation from the MDT. This information was sent via un-secure email to a contact list of 41 individuals.
IGI/4560 / CORNWALL PARTNERSHIP NHS FOUNDATION TRUST / 11-Dec-15 / 1 / One of Cornwall Partnership NHS Foundation Trust properties was broken in to. Individual responsible was able to access their own information and removed this from the property. In addition other service user information was accessible whilst within the building. The property was broken into by a service user, where it is alleged they spent a substantial period of time moving various items, including other service user mental health records. Individual also removed from the property a black wallet containing their own medical information. / Individual removed Mental Health Act paperwork in relation to themselves from the property and appears to have moved other patient information within the office. Individual could have accessed other patient data, but is not clear whether this occurred.
IGI/4619 / HINCHINGBROOKE HEALTH CARE NHS TRUST / 16-Nov-15 / 24 / A member of staff found a Trauma & Orthopaedic Handover sheet on the floor in a hospital corridor. Attached to the handover sheet were 2 torn pieces of paper with details of other patients on them and handwritten notes. The sheet was un-named. / Clinical ward handover sheet using hospital number, patient name and DOB as identifiers. There are some hand written notes but predominantly the information is medical and not easily interpreted by the untrained eye, there is no social information detailed.
IGI/4587 / East Kent Medical Services Ltd / 08-Dec-15 / 4 / A blank patient pre-assessment form had been sent out, however stapled within this document was a theatre list containing 4 patients’ details. Information contained the names of 4 patients, detailing names, DOB, gender, procedure and hospital number. This was down to human error where an individual has printed a list off and has not collected it from the printer, and someone else has scooped up their printing and inadvertently stapled this information within a blank assessment form. Risks have been highlighted, may have reputational risk to the business, and cause distress to patients. / Patient Data.
IGI/4523 / Buckinghamshire Healthcare NHS Trust / 21-Dec-15 / 16 / A patient received 16 letters intended for other patients along with their own letter. Fifteen of the letters contained confidential information regarding patient diagnosis. / NHS patient data
IGI/4481 / WALSALL HEALTHCARE NHS TRUST / 04-Nov-15 / 25 / A ward handover sheet was found by a member of staff in a staff car park. The ward handover sheet contained the names of 25 patients (no addresses, no NHS numbers, no hospital numbers and no dates or births were on the sheet, only names) and limited clinical detail required for handover. The sheet was found by a member of staff on a staff car park early in the morning. / A ward handover sheet containing the names of 25 patients (no addresses, no NHS numbers, no hospital numbers and no dates or births were on the sheet, only names) and limited clinical detail required for handover.
IGI/4472 / HINCHINGBROOKE HEALTH CARE NHS TRUST / 30-Oct-15 / 8 / A porter was bringing a patient from ward A toward B when he found a handover sheet on the floor in the main corridor leading up to the wards. He picked it up and handed it to a staff nurse. The handover contained the details of 8 patients. It was a Urology handover sheet but did not have the name of the doctor who it belonged too on it. / Clinical ward handover sheet using hospital number, patient name and DOB as the only identifiers. There are some hand written notes but predominantly the information is medical and not easily interpreted by the untrained eye, there is no social information detailed.
IGI/4608 / Buckinghamshire Healthcare NHS Trust / 21-Dec-15 / 1100 / Linked tab contained names and drugs prescribed for 1100 patients. The spreadsheet was password protected and sent to two individuals. / NHS patient data