NHS Highland apologises after data security breach
Letters inviting patients at NHS Highland for their second dose of Covid vaccine were produced by NHS Highland Public Health carrying information relating to other patients.
A spokesperson has explained: "These letters each contain the name and address of the patient along with the date, a time slot and a location they should attend to receive their second vaccine. Each of these letters should only fill one page.
"On Thursday, July 22 a batch of 249 letters, addressed to named individual patients, were transferred electronically to the department in Inverness who have the facilities to print and envelope large batches of letters.
"The process is that the letters are printed before being manually transferred to a letter folding/ enveloping machine. The packed envelopes are then manually taken to the mail room for posting to patients.
"On the evening of Saturday, July 24 an email was sent by a recipient of one of these letters informing the Director of Public Health that they had received their notification of a second vaccine appointment and that on the reverse of their letter were the details of a second patient and their vaccine appointment.
"On Monday July 26 this matter was escalated and following enquiries it was found that of the 249 letters that should have been printed, 124 had been printed with the details of a second patient on the reverse of each of these letters."
The gaffe meant that 124 patients did not receive their offer of a second vaccine and their data was inappropriately shared with others.
One letter was printed correctly and without issue.
The NHS Highland Data Protection Officer (DPO) was notified, who in turn notified the Senior Information Risk Owner, David Park.
NHS Highland posted: "Immediate actions were taken on the morning of July 26 to mitigate risk."
The Data Protection Officer met the relevant managers and an action plan was agreed to mitigate the risks of the slip happening again.
"The following actions were put in place:
• Establish facts around existing processes
• Ensure letters of invite for second Covid vaccine are sent to 124 patients who did not receive their letter
• Draft and send letters of apology to 124 patients whose data were shared inappropriately informing them of what had occurred and who to contact should they have any questions
• Draft and send letters of apology to 124 patients who mistakenly received the data of others asking them to attend their appointments but to securely destroy the information they had been sent in error – Complete
• Review current processes. Develop a standard operating procedure and brief all staff within the department responsible for this printing
• Notify the Information Commissioner
• Notify the NIS Competent Authority."
The spokesperson explained: "The printing of these specific letters is a new and additional process brought about by the needs of the Covid Vaccine programme.
"The default settings on printers are set to double sided printing. However it is clear that the appropriate quality checks were not carried out during the printing and enveloping process. This may be considered to be human error.
"The staff involved, who had been trained in the use of the printer and letter folding/enveloping machines, have been spoken to by their manager and reminded of their responsibilities to carry out quality checks throughout this print process.
"The manager for the department involved has published a standard operating procedure for this printing process which has been cascaded to all staff within the department.
"The Information Commissioners Office (ICO) has been notified of this data breach within the statutory timescales and has acknowledged receipt of the report. The DPO will update the SIRO of the results of the ICO’s findings.
"People should have received the replacement letters in time to attend their vaccination appointments, but follow-up will be undertaken."
More Strathy headlines