American healthcare giant HCA International, which owns a number of private hospitals in London, has received a £200,000 fine and a public rebuke from the Information Commissioner’s Office (ICO) after patients at its Lister Hospital in Chelsea had their IVF data leaked online.
In 2015 a patient discovered that doctors’ outpatient letters were freely accessible on the Internet. Further investigation revealed that information from intimate consultations between doctors and their fertility patients was travelling via unencrypted email to a subcontractor in India as far back as 2009. That subcontractor was then storing them on an insecure server, making them accessible to all and sundry.
HCA may have got off lightly, however. After the introduction of the General Data Protection Regulation in May 2018, the ICO will be able to fine companies up to 4% of their global turnover for a serious breach of data protection law. So the fact these failings were uncovered now may well have saved them several million pounds.