A Caithness man was sent the details of a pregnant mum’s complaint against NHS Highland instead of his own – in a fourth such data breach.
Peter Todd has previously received the wrong patient information when requesting his own medical files three times, and is horrified it has happened again.
He has since complained to the Information Commissioner’s Office about the matter, who have spoken to NHS Highland about it.
The incident, which happened in March, came after Mr Todd made a subject access request (SAR). He wanted details of a complaint he himself had made about the health board.
Instead, he received the pregnant woman’s details and the nature of her complaint.
Does the woman know?
Mr Todd said: “I now know this woman’s name, address and personal details. I know that she was pregnant when a member of staff logged into her file and used that information to make inappropriate contact with her.
“I wonder if she knows what has happened now? Her information has been shared with a complete stranger, or if the staff member knows that I have a copy of that complaint.
“If I wanted to, I could go to her door.”
In papers we have seen, the ICO said it had spoken to NHS Highland about the issue.
This is not the first time Mr Todd has had a complaint upheld against NHS Highland for the information passed to him in error.
In the past he said he has received handwritten notes containing surnames, dates of birth and information about patient consultations.
This is the fourth time Mr Todd, has lodged a complaint over an alleged data breach since March 2022 – the first three all relating to the same set of files.
Mr Todd continued: “NHS Highland needs to give its data protection a complete overhaul. It has been told umpteen times that it needs a revamp.
“I was thinking ‘am I unlucky’ or is this happening to more people.
“But, as much as I am a pain the neck of the health board, if they are doing it to me – they are doing it to others.
‘Simply astonishing’
“Four breaches is simply astonishing. Why are they not double checking, triple checking and checking again that the information they send out is appropriate?
“It is almost unbelievable that this could have happened so many times. Patients need to be protected from the mishandling of people’s data.”
The ICO said it would not comment on individual cases.
But in a letter to Mr Todd, seen by The Press and Journal, the body wrote: “It is our understanding that medical records pertaining to a third party were provided to you in error in the response to your SAR. We note that you have raised this concern with NHS Highlands, but you are dissatisfied with the handling of the complaint.
“However, we will be raising the matter with NHS Highlands and advise that they: revise and update all policies and procedures to reflect the obligations placed on controllers under UK GDPR; and ensure all data processed by NHS Highlands is subject to appropriate organisational and technical controls with regards to its security.
A spokeswoman for NHS Highland said: “NHS Highland is not currently dealing with any data breaches.
“We work closely with the Information Commissioner to address any concerns raised through them. “
Conversation