States shares health debt data of 5,000 in an email
A DATA protection breach is being investigated by the Office of the Data Protection Authority after a civil servant sent computer files of confidential health debt information on more than 5,000 islanders to a former Guernsey man now living in the UK.
The recipient, who asked not to be named, said he had been in email contact with the Revenue Service in relation to his income tax payments.
He was sent an email which contained three files, which included the names of customers and details of amounts payable for services received.
The States has today admitted that its corporate debt management team accidentally emailed information on health debt data to the man. Staff immediately tried to recall the email and the recipient agreed to delete it.
The files contained no medical records, details of procedures, and the data included would have been insufficient to use for identity fraud. No tax information was shared. 5,059 individuals were included.
‘I know that this incident will cause frustration and distress and I want to unreservedly apologise for the lapse in security of customer data,’ said Bethan Haines, chief resources officer at the States.
‘We take matters of data security extremely seriously and have taken immediate steps to strengthen our security measures, while we continue to carry out an investigation into the incident in order to capture the lessons learnt.’
The man who received the documents said he did not look too closely at the files, but did see references to the Medical Specialist Group and Health & Social Care, along with the names of patients.
‘One was a massive long file,’ he said.
‘I saw thousands of names, talking about millions of pounds, but I didn’t think much of it to be honest.’
The recipient’s partner said he should report it to the ODPA so he did – initially to the UK data protection regulator, which then referred him to the Guernsey office.
ODPA commissioner Brent Homan said his office had been made aware of the concerns and had contacted the States for an explanation.
‘We have now received a breach report for this matter,’ he said. He said he was unable to comment further.
The States today published a public notification of the breach, which occurred on Thursday 18 April. It said it would cooperate fully with the ODPA investigation and had put additional security measures in place to mitigate future occurrences of this nature.
Lessons to be learnt, page 8
