Liverpool hospital employee fined for data breach

A former Royal Liverpool University hospital employee has been convicted of unlawfully obtaining patient information

The former healthcare assistant has been fined £500 and been ordered to pay £1,000 towards prosecution costs after she used her position at the hospital to access the medical records of five members of her ex-husband's family.

The former employee accessed the records of five individuals between July and November 2009 in an apparent effort to obtain their new telephone numbers.

The hospital launched an investigation in November 2009 after a former family member contacted the hospital after receiving nuisance calls which he suspected had been made by the university hospital employee. He told the hospital that he was concerned that there had been a breach of the Data Protection Act.

Checks by the hospital exposed that all of the patients whose details had been compromised were not at any time under the medical care of the employee, and therefore had no work related reasons to access their records.

The employee was ordered to pay a £15 victim surcharge as well as being fined £1500 by the ICO. The Royal Liverpool University hospital escaped any fines directly against them as the employer. It was deemed that because they were able to use their audit facilities to log the employee’s exact activity they had done as much as they reasonably could to identify and rectify he situation.