A former NHS employee has been found guilty in court for snooping on patient records of her neighbours and colleagues.
Linda Reeves, who previously worked as a vascular data coordinator at the Royal Stoke University Hospital, was told to pay costs of just over £1,000 for a serious breach of trust affecting private information of patients.
On 4 September the North Staffordshire Justice Centre heard 398 patient records were accessed between October 2014 and April 2016.
The case comes just a month after the Information Commissioner’s Office (ICO) again reminded NHS staff about the potentially serious consequences of prying into patients’ medical records without a valid reason.
Reported in The Sentinel, the magistrates heard Reeves resigned from her job during the trust’s investigation into her actions.
Tony Cooke, mitigating, described Reeves as “just plain nosy and looked at things that caught her imagination and interest”.
“She tells me she has been stupid. She did it out of ignorance, not knowing what she was getting herself in to. She knows she’s been reckless but I don’t think anyone can say she’s acted with malice. She felt she had to leave the NHS after these allegations.”
The court confirmed to Digital Health News the cost breakdown was £700 in fines, £364.08 in costs and £70 victim surcharge.
The hospital is part of the University Hospitals of North Midlands NHS Trust.
“Many of our staff have legitimate system access to patient records as part of their role”, said John Oxtoby, medical director and Caldicott guardian at the trust, in a provided statement.
“They are aware that confidentiality is of the utmost importance and that unauthorised access to patient records is not acceptable and will lead to disciplinary action.
“There are strict protocols they must follow and I am confident that almost without exception our staff can be fully trusted to respect the privacy of our patients.”
The ICO reported the prosecution, and said Reeves pleaded guilty to the offence under section 55 of the Data Protection Act (DPA).
“People need to stop and think about the consequences before accessing personal information out of curiosity”, an ICO spokesperson said on Reeves conviction.
“It is against the law to access medical records containing personal data without a business purpose to do so. The law is clear and the consequences of breaking it can be severe.”
“Patients are entitled to have their privacy protected and those who work with sensitive personal data need to know that they can’t just access it or share it with others when they feel like it.”
In May, Sally Anne Day, a former GP administrator of Powys Teaching Health Board, was fined £400 by the ICO for unlawfully accessing patient records.
A greater fine was given to Steve Tennison, a former GP surgery manager, who was fined £1,345 in December 2013 after illegally accessing the medical records of nearly 2,000 patients, most of whom were women in their 20s and 30s.
At present, there are no custodial sentences in respect of DPA offences and no powers of arrest; all offences are punishable only by a fine, according to the Crown Prosecution Service.
In January 2016, former information commissioner, Christopher Graham, reiterated his call for stronger sentencing powers for people convicted of stealing personal data.
“With so much concern about the security of data, it is more important than ever that the courts have at their disposal more effective deterrent penalties than just fines.”
“People who break the criminal law by trading in other people’s personal information need to know that they will be severely punished and could even go to prison.”
17 September 2017 @ 17:38
In my experience of several trusts there is very little checking or analysis of access records to live patient systems, and breaches are only found through reactive investigation of specific suspicions rather than proactive checking. One easy way to view patient details unmonitored is to access test systems, which are often populated with full live patient data. On a number of occasions, I have questioned the legality of using live data, with patients never being explicitly asked to consent to their data being used for testing and training purposes, but management couldn’t see an issue or risk.
18 September 2017 @ 13:49
Firstly, I have worked in a number of Trusts and have never seen a test system using live data. That doesn’t mean it doesn’t happen, just that’s it’s not a routine issue, more so a local issue wherever you work.
Secondly, you’re correct in that there’s very little checking or analysis of access records to patient records systems. Unfortunately, this is the kind of role that has been eliminated as NHS Trusts are continually financially squeezed by the Tories. When Trusts don’t even have enough money to adequately look after patients, then proactively checking systems access rights is way down the list and not even close to being a priority. If NHS Trusts can’t afford people to do this job, then there’s very little they can do. But hey, this is what the public voted for. It baffles me.