Betsi Cadwaladr health board criticised for data breach
- 9 July 2014
- From the section Wales
Sensitive medical information about patients was sent mistakenly by a health board to another patient, a data protection watchdog has discovered.
Betsi Cadwaladr University Health Board (UHB) in north Wales was found to be in breach of the Data Protection Act.
Eight letters about patients - intended for a GP's surgery - were sent to one of the patients involved.
The board has promised the Information Commissioner's Office (ICO) it will improve training on data handling.
Six of the eight letters wrongly sent in July 2013 included sensitive medical information relating to the patients' treatment, a report by the office said.
An ICO investigation found that the health board employee responsible for the mistake had not received any form of data protection training.
The health board told the ICO it had introduced mandatory data protection training for all staff in April 2013, but by February 2014 fewer than one in 15 staff had received it, and it did not expect all staff to be trained until April 2015.
It has now signed an undertaking committing the organisation to improving the training provided to its employees.
Anne Jones, ICO assistant commissioner for Wales, said: "We accept mistakes can happen, but organisations must make sure employees handling sensitive personal information are given the necessary training to carry out their role. Betsi Cadwaladr University Local Health Board failed to do this."
Betsi Cadwaladr UHB said they had apologised to all patients affected by the breach.
A spokesman added: "We are working very hard to improve staff awareness of the Data Protection Act. We have launched a comprehensive training package to make sure that all employees who handle sensitive data are appropriately trained in data protection by the end of September 2014.
"Refresher training will also be undertaken every two years."