Gdpr breach

Gettingwed

Hi just looking some feedback. A hospital sent a referral to another hospital as I need to see a different consultant. I request a copy of the referral to be emailed to me. I did not receive so followed up with the receptionist who agreed to email it to me, the lady replied I've sent it to you I confirmed I didn't not receive it, she spelt out my name which was wrong so I give her correct one. The receptionist then forwarded to me, it was originally sent to a person with a similar name to my, it contained all my information, name DOB address and medical history and why been referred to a specialist etc. Upon receiving the email I can see it was sent to the other person adn when I confirmed correct spelling of my name it was just forwarded which means I can also see the exact email it was sent to 1st. The receptionist never even apologise me. How do I go about reporting this as I'm extremely angry especially the extent of Information that was in it that I myself was not even aware of. It was very confidential information.

Peregrinus

You take it up in the first instance with the hospital. If you don't get satisfaction out of them, you can take it up with the Data Protection Commissioner. Exactly how you take this up with the hospital will depend on whether you're a public patient or a private patient, and whether the hospital is a public hospital or a private hospital, but the hospital will have a complaints procedure and will guide you to it.

Do this in writing, not by phone, so that you have a record of your exchange with the hospital that you can show to the Data Protection Commissioner, if it comes to that.

Also, think about what kind of satsifaction you are looking for. They can't unsend the email, obviously. You can look for an admission of error and an apology. Do you want anything more that that? If so, what?

You may also want to establish whether the wrong email address that was used is a real functioning email address - i.e. did the email intended for you actually reach another live human being?

Gettingwed

Cheers for the reply, do I just contact the receptionist who completed or is their a specific person I should be looking for. I have surgery coming up soon with this hospital its a public hospital I'm quiet nervous If I make complaint now it may put my surgery on hold, as far as I'm aware the email never bounced back therefore I believe there is such email in use however now aware if person actually checks there emails etc. I would of like an apology when she realised instead I got "o ****" it was only when it was forwarded on to me I realised the extent of the details.

Peregrinus

Ring the hospital and ask for contact details for the complaints officer. Or, find your hospital on this page and then click through to find details of the complaints officer for that hospital.

The fact that you're making a complaint about an administrative matter - the handling of your data and management of your referral - shouldn't affect the provision of medical services to you at all. But if you're worried about this, and your surgery is "coming up soon", you might decide not to make the complaint until after the surgery is done. It's not that I think there's any real risk making the complaint would actually ffect your surgery, but if there's a real risk that you would worry about that, then spare yourself the worry. Surgery is stressful enough without adding to it.

You could email the person and then you would know if it's real or not.

People make mistakes and send / recieve messages meant for other people. Email, text or whatever medium used, it happens so I wouldn't be expecting too much from this.

Gettingwed

Niner leprauchan wrote: »

You could email the person and then you would know if it's real or not.

People make mistakes and send / recieve messages meant for other people. Email, text or whatever medium used, it happens so I wouldn't be expecting too much from this.

I am well aware of human error as it can happen any of us but also aware of manners so even if she apologied would of been helpful or acknowledged she made an error. When you say expecting much from it what do you mean? What I would be expecting at the least is that to ensure people privacy to do something to ensure it does not happen another person

Gettingwed

Gettingwed wrote: »

I am well aware of human error as it can happen any of us but also aware of manners so even if she apologied would of been helpful or acknowledged she made an error. When you say expecting much from it what do you mean? What I would be expecting at the least is that to ensure people privacy to do something to ensure it does not happen another person

That won't happen. Again, human error. What is it you would like them to do that would eradicate the possibility of someone mis-writing or typing your name, address or email address again? Realistically I mean.

So if that's your genuine desire as an end result, save yourself the hassle.

If however you're looking for a corporate apology, you will get that.

If you are looking for their records to be updated, that's a given.

If it's a case that this lady is racking up complaints, they will take action against her. If it's a once off, they won't.

Did you try emailing the incorrect address?

TheChizler

They could change procedures to send a test email before sending the one containing personal data. Or password protect the file and give the OP the password over the phone. Plenty of ways this could have been avoided.

Gettingwed

Niner leprauchan wrote: »

That won't happen. Again, human error. What is it you would like them to do that would eradicate the possibility of someone mis-writing or typing your name, address or email address again? Realistically I mean.

So if that's your genuine desire as an end result, save yourself the hassle.

If however you're looking for a corporate apology, you will get that.

If you are looking for their records to be updated, that's a given.

If it's a case that this lady is racking up complaints, they will take action against her. If it's a once off, they won't.

Did you try emailing the incorrect address?

Yea I have just sent an email to the incorrect one and it did not bounce back therefore it is a valid email.

screamer

It’d be no different had she posted it out to you, and it had gotten lost in the post. The amount of personal data we entrust to postal distribution or internet super highways is crazy. Hence, I register post hat has my personal details on it, and I’d pickup anything they want to send me. Otherwise, there’s is always a chance of your data being compromised due to human or technical error.

TheChizler

TheChizler wrote: »

They could change procedures to send a test email before sending the one containing personal data. Or password protect the file and give the OP the password over the phone. Plenty of ways this could have been avoided.

I'm not aware of any company that sends test mails or postal letters. It's time consuming for starters.

They could password protect and provide the password over the phone but then couldn't they just tell the person over the phone in the first place?

Neither will be implemented over this.

Gettingwed

Gettingwed wrote: »

Yea I have just sent an email to the incorrect one and it did not bounce back therefore it is a valid email.

Unfortunate.

sydthebeat

One random person somewhere on planet earth got one other person's medical records due to human error.

Not the most egregious breach of data ever.

An apology from the hospital is the most reasonable outcome

un5byh7sqpd2x0

sydthebeat wrote: »

One random person somewhere on planet earth got one other person's medical records due to human error.

Not the most egregious breach of data ever.

An apology from the hospital is the most reasonable outcome

I think you’ll find it’s a very serious breach.

angel eyes 2012

The Hospital should have contact details of their Data Protection Officer on the Hospital's website. Usually a generic email address or phone number. You can raise a complaint through the DPO and it's up to them to investigate the incident.

I suspect the staff member concerned has not been briefed on how to react in the event of a data breach or otherwise an apology would have issued to the OP.

If there is no satisfactory response from the DPO you also have a right of complaint to the DPC but in fairness I would give the hospital an opportunity to sort it first.

Mrs OBumble

Niner leprauchan wrote: »

I'm not aware of any company that sends test mails or postal letters. It's time consuming for starters.

I am.

Hospitals should simply not be emailing medical information. Its the equivalent of putting it on a post card and posting it to you.

OP post a written complaint to the hospitals data protection officer.

Jim2007

Gettingwed wrote: »

Yea I have just sent an email to the incorrect one and it did not bounce back therefore it is a valid email.

You won’t know that for at least a month. Emails that fail to reach a valid address can spent a long time bouncing around before the bounce back.

beachhead

Peregrinus wrote: »

You take it up in the first instance with the hospital. If you don't get satisfaction out of them, you can take it up with the Data Protection Commissioner. Exactly how you take this up with the hospital will depend on whether you're a public patient or a private patient, and whether the hospital is a public hospital or a private hospital, but the hospital will have a complaints procedure and will guide you to it.

Do this in writing, not by phone, so that you have a record of your exchange with the hospital that you can show to the Data Protection Commissioner, if it comes to that.

Also, think about what kind of satsifaction you are looking for. They can't unsend the email, obviously. You can look for an admission of error and an apology. Do you want anything more that that? If so, what?

You may also want to establish whether the wrong email address that was used is a real functioning email address - i.e. did the email intended for you actually reach another live human being?

Write a letter to the Registrar of the hospital by name and use registered post.

antix80

Gettingwed wrote: »

I request a copy of the referral to be emailed to me.

That wasn't a good decision on your part and the receptionist probably should have said it was against policy.

Anyway.. Hospital will probably refuse future requests so you'll be ruining it on everyone.

jimmycrackcorm

It's worth reporting and making a complaint about. For the simple reason to make sure that the hospital enforces a policy of encryption or password protection of attachments.
It's very flippant to send out sensitive private medical information in such an ad hoc manner.

jimmycrackcorm

It's worth reporting and making a complaint about. For the simple reason to make sure that the hospital enforces a policy of encryption or password protection of attachments.
It's very flippant to send out sensitive private medical information in such an ad hoc manner.

Peregrinus

antix80 wrote: »

That wasn't a good decision on your part and the receptionist probably should have said it was against policy.

Anyway.. Hospital will probably refuse future requests so you'll be ruining it on everyone.

If it's not a good decision to have confidential medical data sent in unencrypted attachments to emails, then steps which lead hospitals to stop doing that are s hardly "ruining it on everyone"; surely they are protecting everyone from what you yourself say is a poor practice?

ohnonotgmail

Niner leprauchan wrote: »

I'm not aware of any company that sends test mails or postal letters. It's time consuming for starters.

They could password protect and provide the password over the phone but then couldn't they just tell the person over the phone in the first place?

Neither will be implemented over this.

I have had this in two recent interactions with a solicitor and social worker. An email first to confirm they have the email correct before sending any personal info. Seems like a reasonable thing to do.

antodeco

Standard policy in just about any organisation is, when sending external files, they are password protected.

I think this is a major failing on the hospital's behalf (medical records are almost sacrosanct!). It was human error, granted, however, they should have a policy that protects any data in the event of human error, and password protected files is a very easy way to do this.

OP, the best you can do is when raising the complaint, is to state the above. When a Data Breach happens, an organisation is allowed to try and rectify their procedures, and your complaint may end up protecting other people's data going forward.

TheChizler

TheChizler wrote: »

They could change procedures to send a test email before sending the one containing personal data. Or password protect the file and give the OP the password over the phone. Plenty of ways this could have been avoided.

And add a whole new layer of bureaucracy and delays on top of an already creaking system. Plus end up with a deluge of calls from people forgetting passwords etc.

Jim2007

ohnonotgmail wrote: »

I have had this in two recent interactions with a solicitor and social worker. An email first to confirm they have the email correct before sending any personal info. Seems like a reasonable thing to do.

Well it achieved the two objectives of the exercise: created a sense of confidence in you and gave them a good defense if things go wrong.

But it in no way impacts the probability of an employee selecting the correct email address when sending out an email.

Secrecy is one of the corner stones of Swiss banking, so much so that it is a criminal offense to disclose client information without a court order. And having worked in that environment for more than 30 years, I can confirm the information often gets sent to the wrong person. Yes, even in a situation where an employee could face a criminal prosecution, they failed to pay sufficient care and attention to avoid such mistakes.

Jim2007

Deleted User wrote: »

And add a whole new layer of bureaucracy and delays on top of an already creaking system. Plus end up with a deluge of calls from people forgetting passwords etc.

It’s not just bureaucracy, all this encryption, decryption etc dramatically increases the network load, so when the network gets overloaded, net admins resort to the usual solution - they turn it off!

rock22

Mrs OBumble wrote: »

I am.

Hospitals should simply not be emailing medical information. Its the equivalent of putting it on a post card and posting it to you.

OP post a written complaint to the hospitals data protection officer.

I assume you have never worked in health care
The whole system would come crashing down within days if email was removed

antodeco

[Deleted User] wrote: »

And add a whole new layer of bureaucracy and delays on top of an already creaking system. Plus end up with a deluge of calls from people forgetting passwords etc.

Put the password as the person's contact number or date of birth.

Better to add an extra layer of legal protection, than being finer by the DPC

antodeco

antodeco wrote: »

Put the password as the person's contact number or date of birth.

Better to add an extra layer of legal protection, than being finer by the DPC

so a very obvious and guessable password then?

Mrs OBumble

Mrs OBumble wrote: »

I am.

Hospitals should simply not be emailing medical information. Its the equivalent of putting it on a post card and posting it to you.

All organisations email internal information, every single day, hour and minute.

You want all contact to go back 50 years?

I stand by my assertion, companies dont send 'checker mails' for 2 reasons

A, time and cost

B, its pointless. people can still lie and the second mail can contain an error

TheChizler

Niner leprauchan wrote: »

All organisations email internal information, every single day, hour and minute.

You want all contact to go back 50 years?

I stand by my assertion, companies dont send 'checker mails' for 2 reasons

A, time and cost

B, its pointless. people can still lie and the second mail can contain an error

Because something has corner-case exceptions and does not work 100% of the time does not make it pointless.

TheChizler

TheChizler wrote: »

Because something has corner-case exceptions and does not work 100% of the time does not make it pointless.

correct, just as the current system works almost 100% fine

Eleven Benevolent Elephants

TheChizler wrote: »

They could change procedures to send a test email before sending the one containing personal data. Or password protect the file and give the OP the password over the phone. Plenty of ways this could have been avoided.

LOL. It's the HSE were talking about.
There's more IT skills in a national school computer class for senior infants.

These clowns are still using FAX!

The greedy unions would probably demand a pay rise and extra training.

Mod
Easy now

Eleven Benevolent Elephants

Eleven Benevolent Elephants wrote: »

LOL. It's the HSE were talking about.
There's more IT skills in a national school computer class for senior infants.

These clowns are still using FAX!

The greedy unions would probably demand a pay rise and extra training.

how dare they ask for training in a new system!

ohnonotgmail

Eleven Benevolent Elephants wrote: »

LOL. It's the HSE were talking about.
There's more IT skills in a national school computer class for senior infants.

These clowns are still using FAX!

The greedy unions would probably demand a pay rise and extra training.

One of the examples I gave was from a social worker in the HSE. It is not an organisational issue

Eleven Benevolent Elephants

ohnonotgmail wrote: »

I have had this in two recent interactions with a solicitor and social worker. An email first to confirm they have the email correct before sending any personal info. Seems like a reasonable thing to do.

Apt username btw

Mrs OBumble

Niner leprauchan wrote: »

All organisations email internal information, every single day, hour and minute.

You want all contact to go back 50 years?

I stand by my assertion, companies dont send 'checker mails' for 2 reasons

A, time and cost

B, its pointless. people can still lie and the second mail can contain an error

Your assertion is incorrect.

One company I work for now does send checker mails first.

And most in the industry are moving from password protected attachment to secure server file sharing.

We do not know if this is HSE or private sector hospital. Either way, external email is not suitable.

Mrs OBumble

Mrs OBumble wrote: »

Your assertion is incorrect.

One company I work for now does send checker mails first.

And most in the industry are moving from password protected attachment to secure server file sharing.

We do not know if this is HSE or private sector hospital. Either way, external email is not suitable.

external email is how the entire globe communicates.

1 company out of millions means very little.

Either way, large organisations in the public sector are unlikely to change to such a system overnight

FYI, I get my correspondance by post. Letters arrive for other people from time to time as well. The OP requested the email

antodeco

Niner leprauchan wrote: »

so a very obvious and guessable password then?

What's my password so?

Peregrinus

Eleven Benevolent Elephants wrote: »

LOL. It's the HSE were talking about.
There's more IT skills in a national school computer class for senior infants.

These clowns are still using FAX!

Fax is still widely used in the medical field (and not just in Ireland) precisely because it provides a higher level of security and privacy for medical data than emails or similar do. But it probably wouldn't have been an option in the OP's case because it's unlikely that he has the setup needed to receive faxes at home.

antodeco

antodeco wrote: »

What's my password so?

Yes, you have proven that point so well. A random account on the net ffs!

antodeco

Niner leprauchan wrote: »

Yes, you have proven that point so well. A random account on the net ffs!

As oppose to a random email?

steve-o

antodeco wrote: »

What's my password so?

11-Dec-1981

steve-o

Niner leprauchan wrote: »

All organisations email internal information, every single day, hour and minute.

You want all contact to go back 50 years?

I stand by my assertion, companies dont send 'checker mails' for 2 reasons

A, time and cost

B, its pointless. people can still lie and the second mail can contain an error

Every website I sign up to sends a verification email. Even if there's no automated process, it's not difficult for someone on the phone or across a desk to send a test email and ask you to verify that you've received it.

Sending unencrypted medical details to an unverified email address is just plain stupid and is legally a serious issue.

steve-o

steve-o wrote: »

Every website I sign up to sends a verification email. Even if there's no automated process, it's not difficult for someone on the phone or across a desk to send a test email and ask you to verify that you've received it.
.

Have you been to a public hospital lately? Do you think staff have time to stay on the phone while 80yo Johnny logs in and checks his verification email?

I am guessing you are one of the people who thinks all civil servants are lazy and operate at 50% and have time for your hair-brained manual process

ohnonotgmail

Mayo_fan wrote: »

Have you been to a public hospital lately? Do you think staff have time to stay on the phone while 80yo Johnny logs in and checks his verification email?

I am guessing you are one of the people who thinks all civil servants are lazy and operate at 50% and have time for your hair-brained manual process

It is not harebrained and is already in use in parts of the HSE.

steve-o

Mayo_fan wrote: »

Have you been to a public hospital lately? Do you think staff have time to stay on the phone while 80yo Johnny logs in and checks his verification email?

I am guessing you are one of the people who thinks all civil servants are lazy and operate at 50% and have time for your hair-brained manual process

You've made some impressive deductive leaps there.

In this case, the receptionist's employer is legally obliged to report a data breach to the Data Protection Commissioner. Of course, I've no idea if that will actually happen. But it will consume more time and paperwork than the few seconds that would have elapsed before the person's phone pinged and they could have confirmed receipt of the verification email.

But, as you seem to be a bit of a process guru, maybe you can suggest an alternative process that complies with the law and doesn't overburden the health service?