A former NHS secretary has been fined by the data protection regulator after illegally accessing the medical records of over 150 people. The Information Commissioner’s Office (ICO) said a complaint was lodged in June 2019 after a patient raised concerns that their records had been improperly accessed by Loretta Alborghetti, from Redditch.
Alborghetti, who worked as a medical secretary within the ophthalmology department of Worcestershire Acute Hospitals NHS Trust, accessed a particular individual’s records 33 times without consent between March 2019 and June 2019, according to a subsequent ICO investigation. The regulator then found she had accessed a total of 156 patient records without consent or a business need, viewing them more than 1800 times within the three-month period. This included the records of individuals and their family members with postcodes local to where she lived at the time. The people whose records she accessed apparently had no medical conditions relating to ophthalmology.
ICO head of investigations, Andy Curry, stated, “We want to remind those in positions of trust that just because your job may grant you access to other people’s personal information, that doesn’t mean you have the legal right to look at it for your own purposes. This case shows that the ICO will take action when confidential personal records are accessed unlawfully. Curiosity is no excuse for breaching data protection laws.”
Alborghetti pleaded guilty to unlawfully obtaining personal data in breach of Section 170 of the Data Protection Act 2018, according to the ICO. The size of the fine handed to Alborghetti (£648/$810) arguably falls short of that needed to send a clear message to others.
The incident raises privacy and security concerns, particularly as the National Health Service (NHS) has recently announced plans to share patient data with third parties. Although the NHS aims to utilize patient data for research and planning, the unauthorized access to medical records by individuals like Alborghetti highlights the risks associated with sharing and accessing sensitive information. The public’s confidence in the protection of their personal data is essential, and incidents like this erode trust in healthcare organizations.
The breach by Alborghetti emphasizes the importance of robust data protection measures and the need for clear consequences for those who unlawfully access sensitive information. The regulatory authorities must ensure that the penalties for such breaches are sufficient to deter others from committing similar offenses. Strict enforcement of data protection laws and regulations is crucial to safeguarding the privacy and security of individuals’ medical records. Healthcare organizations must also prioritize the training and ethical conduct of employees who have access to sensitive patient data to prevent unauthorized access and misuse.
The case of Loretta Alborghetti serves as a reminder of the potential consequences of unlawful access to medical records and the importance of upholding data protection laws within the healthcare sector. It also underscores the continuing challenges in ensuring the privacy and security of patient data, as well as the need for ongoing vigilance and regulatory oversight to address breaches and protect individuals’ sensitive information.