Hospital staff have been dismissed and suspended for looking up patients’ confidential medical information.
They are among hundreds of data protection breaches reported by the NHS in Suffolk and North Essex in the last two years.
No harm was done in the majority of cases but the most common serious breaches involved staff looking at patients’ records inappropriately.
At Ipswich Hospital nine data protection breaches were serious enough to be reported to watchdog the Information Commissioner’s Office (ICO) over the last three years.
That included five times when staff unlawfully obtained personal data. One staff member was dismissed in 2015 for that.
And “HR Action” was taken against another three staff members for the same offence, according to the hospital.
Another disciplinary investigation is currently ongoing after a staff member again unlawfully obtained personal data.
Other breaches included a letter to a patient being posted to the wrong address last year, and a ward handover sheet with patient details on accidental given to a patient when they were discharged.
A staff member also had a bag containing personal patient information stolen from a car and in a separate case a patient handover list was found outside of the hospital in 2014.
The hospital reported 72 data protection breaches in 2015/16 and 40 last year.
A spokesman said: “We view any breach of our data protection guidelines very seriously and encourage all our staff to report anything of concern immediately. We have put in place a range of measures to help address this issue including ordering new confidential waste bins which are lockable so the content is secure at all times.”
At Colchester Hospital three staff members were dismissed last year for data protection breaches. In two cases staff members gained “inappropriate access to data”.
In one case, Brioney Woolfe, a healthcare assistant was sacked for accessing confidential information of 29 patients in the midwifery department at the hospital.
The 28-year-old, of Stour Close, Dovercourt, pleaded guilty to two offences under the Data Protection Act at a hearing at Colchester Magistrates’ Court. She was fined £400 for obtaining personal data and £650 for disclosing it, ordered to pay prosecution costs of £600 and a victim surcharge of £65.
In another case someone was dismissed for verbal breach. A fourth staff member was suspended for “inappropriately” accessing data and a fifth one was suspended for not following confidentiality guidelines, the hospital said.
A total of 11 cases were reported to the ICO in 2016/17 and another three in 2015/16.
The hospital recorded 97 breaches last year and 70 year before. They included theft, emailing the wrong information to people and loss of records.
Barry Moult, the hospital’s head of information governance and health records, said: “We take any breach extremely seriously. Each breach is investigated to see if processes or systems can be changed to protect patient information.
“The fact that we dismissed three members of staff in 2016/17 for inappropriate access to patient data is evidence of just how seriously we take this matter.”
Andy Yacoub, chief executive of Healthwatch Suffolk, said: “It is good to know that such cases have been discovered, investigated and that, where staff are clearly at fault, action has been taken to address the breach.”
But he said the number of breaches could be even higher as they had come across incidents which went unreported.
“An anonymous caller spoke with us about their concerns that a patient’s notes had been left on a bed and that when this was raised with a health professional, the individual concerned simply left the notes there,” he said.
The Norfolk and Suffolk Foundation Trust (NSFT), which provides mental health services for the region, has investigated 41 data protection breaches since 2014 - and the number has tripled since that year.
They include sending confidential patient information to the wrong patient and GPs. There were 22 reported cases last year, up from seven two years before. Two cases were reported to the ICO in the last two years which took no further action.
Leigh Howlett, NSFT’s director of strategy and resource, said the number of patients they treat had increased in that time and all breaches were investigated.
“All our staff are required to undertake mandatory information governance training on a yearly basis and it forms a key part of our Trust’s induction programme,” they said.
An ICO spokesperson said: “The health sector handles some of the most sensitive personal data, and patients have the right to expect that their information will be looked after.”
West Suffolk Hospital said it reported just one breach to the ICO in the last two years, while Suffolk Community Healthcare said it reported no data breaches to the watchdog.
Comments: Our rules
We want our comments to be a lively and valuable part of our community - a place where readers can debate and engage with the most important local issues. The ability to comment on our stories is a privilege, not a right, however, and that privilege may be withdrawn if it is abused or misused.
Please report any comments that break our rules.
Read the rules here