This article is more than 1 year old
ICO wades in after GP doxxes woman to her estranged ex-partner
Infosec: It's not just about crypto
The Information Commissioner's Office has waded in after a Hertfordshire "GP practice" sent a woman's medical records to her former partner.
Staff at Regal Chambers in Hitchin had been warned by the woman they needed to take particular care to protect her details, but the surgery failed to do so when her ex-partner made a subject access request for the medical records of the former couple's son.
The general practice then sent him 62 pages of information, back in July 2014, incidentally doxxing the woman by including her contact details in the release. Also revealed were the details of her parents and an older child of hers whom the man is not related to.
The person responsible for handling the request advised the child's GP about it when it was initially sent, but in the absence of a sufficient written procedure, they "went ahead and released everything" according to the ICO.
After an investigation, the ICO found that the GP had "insufficient systems in place to guard against releasing unauthorised personal data to people who were not entitled to see it", which caused the breach of the Data Protection Act.
The ICO's investigation also found staff did not receive adequate guidance or supervision about what could be disclosed or should be withheld.
Steve Eckersley, the ICO’s Head of Enforcement, said: "Most people would be horrified to think the information they entrust to their GP was being treated with anything less than the utmost care. In this case a patient reinforced this, however her pleas went unheeded.
"When that information could have devastating consequences if released incorrectly, it is even more important that measures are robust," added Eckersley. "There is no doubt that releasing this information would have caused great distress to the woman, her children and the rest of her family."
The ICO has issued a fine of £40k to the practice as its partners are individually liable in this instance, but noted that most organisations should expect to receive a much larger fine for a breach of such a serious nature. ®
Biting the hand that feeds IT
