An Italian researcher was recently fired by the North Middlesex University Hospital after it discovered that he had revealed confidential information of 31 female patients via a public post on Facebook.
The researcher's Facebook post was active for a week and revealed names, NHS numbers, and details of 31 women who gave birth at the hospital in June.
Luigi Carbone, the researcher in question, was working at the North Middlesex University hospital since March under a research agreement with the Foetal Medicine Foundation. In a public post on Faceook earlier this month, he attached a picture of his laptop containing sensitive details of 31 women who had given birth at the hospital last month.
Royal Free NHS Trust shared 1.6m patient records with Google DeepMind without prior consent
The hospital's social media team discovered the picture over a week after it was posted following which Mr. Carbone was fired. The hospital has reported the incident to the Information Commissioner's Office and has apologised to the women whose details were revealed by Mr. Carbone.
While the fact that sensitive details of patients were revealed in a Facebook post is worrying, what is even more worrying is that several of the patients did not wish to participate in the research programme. The fact that details of such patients were shared with outside researchers also points to a major privacy breach.
“Some of the patients on the spreadsheet had consented to take part but a few had not. This is against the rules of research governance and we are taking steps to ensure this can’t happen in future,” said a spokesman at the North Middlesex University Hospital.
NHS doctors using SnapChat to share patient scans and other records
“We ensured the researcher deleted it as soon as we became aware of it through our proactive daily monitoring of social media. He expressed his deep regret for his error of judgment.
"We have terminated his permission to carry out research at our hospital and he no longer works here. We are working closely with his employer organisation to ensure a thorough investigation into this matter,” he added.
'It’s hard to know whether this was an isolated, foolish slip, or whether it suggests the trust’s training of staff on confidentiality and data protection is inadequate,' said Patients Association chief John Kell to The Mirror.
This episode makes it clear that merely updating outdated software in NHS hospitals will not prevent data breach as human factor continues to remain the largest vector for such leaks. The fact that a number of NHS hospitals aren't giving enough importance to patient consent ensures that patient data continues to remain vulnerable to similar breaches in future.
82 per cent of UK boroughs yet to allocate budget to comply with GDPR
Earlier this month, the ICO found the Royal Free NHS Foundation Trust guilty for sharing sensitive data of 1.6 million patients without adequately informing patients on how their data would be used. The Trust has been ordered to conduct a privacy impact assessment which will explain how the Trust will comply with the Data Protection Act while conducting clinical safety tests.
“Our investigation found a number of shortcomings in the way patient records were shared for this trial. Patients would not have reasonably expected their information to have been used in this way, and the Trust could and should have been far more transparent with patients as to what was happening," said Information Commissioner Elizabeth Denham.