Health firm gets £200k slap after IVF patients' records leak online

Updated A private health firm in the UK has been fined £200,000 after fertility patients’ confidential conversations leaked online.

The £200,000 monetary penalty was levied following an investigation by Blighty's Information Commissioner’s Office (ICO) into the way the Lister Hospital in London was transferring, transcribing and storing audio recordings of information discussed during private IVF appointments.

Problems were discovered in April 2015 after a patient discovered that doctor outpatient letters to Lister Hospital IVF patients that had been dictated for transcription could be freely accessed by searching online.

A subsequent investigation by data privacy watchdogs revealed the hospital had been routinely sending unencrypted audio recordings by email to a company in India since at least 2009, six years prior to the probe. The recordings were transcribed in India and then sent back to the hospital.

Worse yet, the Indian firm stored audio files and transcripts on an insecure server, leaving the confidential data accessible to world+dog.

HCA International breached the Data Protection Act 1998 by failing to ensure that their sub-contractor acted responsibly, earning them a heavy fine along with a public rebuke from the ICO.

Head of ICO enforcement Steve Eckersley said: "The reputation of the medical profession is built on trust. HCA International has not only broken the law, it has betrayed the trust of its patients.

"These people were discussing intimate details about fertility and treatment options and certainly didn't expect this information to be placed online. The hospital had a duty to keep the information secure. Once information is online it can be accessed by anyone and could have caused even more distress to people who were already going through a difficult time," he added.

HCA International already had appropriate safeguards in place in other areas of its business. "The situation could have been avoided entirely if HCA International had taken the time to check up on the methods used by the contract company," Eckersley concluded.

The General Data Protection Regulation (GDPR), the new data protection law coming into force in the UK in May 2018, will strengthen the ICO’s powers to fine companies. Fines of up to four per cent of a company’s global turnover could be issued where a serious breach of data protection law has occurred. ®

Updated at 10.17am on Wednesday 1 March to add: The ICO has, since the publication of this story, clarified that the audio recordings were of information discussed during private consultations, not the consultations themselves.