Medical receptionist prosecuted after unlawfully accessing patient’s details

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://www.ico.gov.uk/news/latest_news/2013/medical-receptionist-prosecuted-after-unlawfully-accessing-patients-details-12032013.aspx

A former receptionist at a GP surgery in Southampton has been
prosecuted by the Information Commissioner’s Office (ICO) for
unlawfully obtaining sensitive medical information relating to her
ex-husband’s new wife.

Appearing at West Hampshire Magistrates today, Marcia Phillips was
prosecuted under section 55 of the Data Protection Act and fined £750
and ordered to pay a £15 victim surcharge and £400 prosecution costs.

Ms Phillips was found to have accessed the information on 15 separate
occasions over a 16-month period while working as a receptionist at
the Bath Lodge Practice. The breach became apparent after Phillips
left her job and sent a text message to her ex-husband’s partner
referring to highly sensitive medical information taken from her
medical record.

Deputy Commissioner and Director of Data Protection, David Smith, said:

“This case clearly shows the distress that can be caused when an
individual uses a position of responsibility to illegally access
sensitive personal information. Ms Phillips knew she was breaking the
law, but continued to do so in order to cause harm to her ex-husband’s
new wife.

“The nature of her job meant that she will have been in no doubt as to
the importance of patient confidentiality. Despite this she repeatedly
accessed the victim’s file without a valid reason.”

Unlawfully obtaining or accessing personal data is a criminal offence
under section 55 of the Data Protection Act 1998. The offence is
punishable by way of a fine of up to £5,000 in a Magistrates Court or
an unlimited fine in a Crown Court. The ICO continues to call for more
effective deterrent sentences, including the threat of prison, to be
available to the courts to stop the unlawful use of personal
information.

David Smith added:

“We continue to urge the Government to press ahead with the
introduction of tougher penalties to enforce the Data Protection Act.
Without these unscrupulous individuals will continue to break the law.
Action to replace the section 55 'fine only' regime with an effective
deterrent is long overdue. This change is not directed at the media
and should not be held while Lord Justice Leveson's recommendations on
data protection and the media are considered.”
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.