An NHS trust in the UK faces repercussions from the data protection regulator for a concerning breach of patient data privacy. Over a span of two years, 26 staff members at NHS Lanarkshire utilized an unauthorized WhatsApp group to share sensitive patient information, including names, phone numbers, addresses, images, videos, screenshots, and clinical data, as revealed by the Information Commissioner’s Office (ICO).
Furthermore, the WhatsApp group, initially set up to aid staff communication during the early days of the pandemic, was not approved for processing patient data, which falls under GDPR’s “special category” of personal data, enjoying special protection under Article 9 of the law.
At the same time, the staff’s undisclosed use of the group led to the inadvertent addition of a non-staff member, resulting in the inappropriate disclosure of personal information, highlighting the risks associated with shadow IT.
Additionally, the NHS trust notified the ICO upon discovering the incident, but by then, patient data had already been entered into the app more than 500 times. Subsequent investigations concluded that the trust lacked appropriate policies, guidance, and processes when WhatsApp was introduced, with no risk assessment conducted at that time.
John Edwards, the Information Commissioner, stressed the need for careful and secure treatment of patient data to build trust among people. Despite the immense pressure faced by healthcare providers during the pandemic, he asserted that data protection standards cannot be compromised.
Edwards urged all healthcare organizations to learn from this incident, reevaluate their policies regarding messaging apps and patient data processing, and ensure that patient data remains safeguarded.
