Security of patient records and unauthorized access

D. Moore made this Freedom of Information request to Hywel Dda University Health Board

This request has been closed to new correspondence. Contact us if you think it should be reopened.

The request was partially successful.

Dear Hywel Dda University Health Board,

This request concerns the security of patient records and relates to a rogue nurse who accessed patient records she shouldn't have:

https://www.whatdotheyknow.com/request/3...

In your above response you wrote the following:

"It was agreed that it was appropriate to ask the Informatics Team to review the individuals activity on Myrddin, the electronic patient staff record, to identify if any inappropriate accesses had been made."

1. Please provide the job titles of staff who contacted the Informatics Team in the the period January 2015 to December 2015 with requests to review the activities of particular individuals on Myrddin.

2. Please provide the number of times the Informatics Team was contacted in the period January 2015 to December 2015 with requests to review the activities of particular individuals on Myrddin.

3. Please provide the number of individuals the Informatics Team identified in the period January 2015 to December 2015 who made inappropriate accesses on Myrddin. From the total figure, please specify the the number identified from those individuals whose activities were asked to be reviewed (I am assuming that that the Informatics Team can identify rogue elements in circumstances where it has not been asked to carry out a review).

You have written in the response referred to above:

"Since January 2016, The Health Board has implemented the National Intelligent Integrated Auditing Solution (NIIAS)."

4. Please provide the number of times NIIAS has flagged up "potential instances of unauthorized access to patient information" since January 2016 as well as the number of individuals to which the potential instances of unauthorized access relate.

5. For the same period, please provide the number of individuals found to have accessed patient information without authorization. Specify disciplinary outcomes.

Yours faithfully,

D Moore

Kathryn Thomas (Hywel Dda UHB - Senior Correspondence Officer), Hywel Dda University Health Board

Dear Sir/Madam

 

Information Requested Under The Freedom Of Information Act 2000

 

Thank you for your recent request for the supply of information relating
to security of patient records and unauthorised access. 

 

Under the Act, the Health Board is required to supply the information to
you within 20 working days.  In terms of your request, this means that the
information should be provided by 22 June 2016.   If this is not possible,
a further letter will be sent advising you of the progress made in
satisfying your request.

 

Please find attached our [1]leaflet giving guidance on our procedure for
managing requests for information that is covered under the Freedom of
Information Act 2000.

 

Yours sincerely

 

Kathryn

 

Kathryn Thomas

Senior Corporate Information Officer/Uwch Swyddog Gwybodaeth Corfforaethol

Hywel Dda University Health Board/Bwrdd Iechyd Prifysgol Hywel Dda

Corporate Offices

Ystwyth Building/Adeilad Ystwyth

Hafan Derwen

St David's Park/Parc Dewi Sant

Job's Well Road/Fynnon Job

Carmarthen/Caerfyrddin

Carmarthenshire/Sir Gaerfyrddin

SA31 3BB

 

Rhif Ffôn / Telephone Number: 01267 239682 (WHTN 01825 4682)

E-bost: Email: [2][email address]

 

Bwrdd Iechyd Prifysgol Hywel Dda yw enw gweithredol Bwrdd Iechyd Lleol
Hywel Dda / Hywel Dda University Health Board is the operational name of
Hywel Dda Local Health Board

 

 

References

Visible links
1. http://www.wales.nhs.uk/sitesplus/862/op...
2. mailto:[email address]

Katie Diong (Hywel Dda UHB - Freedom of Inforamtion Officer), Hywel Dda University Health Board

1 Attachment

Dear Sir/Madam,

 

Please find attached the response to the request you made for information
under the Freedom of Information Act.

 

Yours Sincerely,

 

Katie Diong

Freedom of Information Officer/Swyddog Rhyddid Gwybodaeth

Hywel Dda University Health Board/Bwrdd Iechyd Prifysgol Hywel Dda

Corporate Offices

Ystwyth Building/Adeilad Ystwyth

Hafan Derwen

St David's Park/Parc Dewi Sant

Job's Well Road/Fynnon Job

Carmarthen/Caerfyrddin

Carmarthenshire/Sir Gaerfyrddin

SA31 3BB

 

Rhif Ffôn / Telephone Number: 01267 239670 (WHTN 01825 4670)

E-bost: Email: [1][email address]

 

Bwrdd Iechyd Prifysgol Hywel Dda yw enw gweithredol Bwrdd Iechyd Lleol
Hywel Dda / Hywel Dda University Health Board is the operational name of
Hywel Dda Local Health Board

 

References

Visible links
1. mailto:[email address]

Dear Katie Diong (Hywel Dda UHB - Freedom of Inforamtion Officer),

Thank you for your advice and assistance.

Please provide responses to parts 4 and 5 of my request.

Yours sincerely,

D. Moore

Katie Diong (Hywel Dda UHB - Freedom of Inforamtion Officer), Hywel Dda University Health Board

1 Attachment

Dear Sir/Madam,

 

Please find attached the response to the request you made for information
under the Freedom of Information Act.

 

Yours Sincerely,

 

Katie Diong

Freedom of Information Officer/Swyddog Rhyddid Gwybodaeth

Hywel Dda University Health Board/Bwrdd Iechyd Prifysgol Hywel Dda

Corporate Offices

Ystwyth Building/Adeilad Ystwyth

Hafan Derwen

St David's Park/Parc Dewi Sant

Job's Well Road/Fynnon Job

Carmarthen/Caerfyrddin

Carmarthenshire/Sir Gaerfyrddin

SA31 3BB

 

Rhif Ffôn / Telephone Number: 01267 239670 (WHTN 01825 4670)

E-bost: Email: [1][email address]

 

Bwrdd Iechyd Prifysgol Hywel Dda yw enw gweithredol Bwrdd Iechyd Lleol
Hywel Dda / Hywel Dda University Health Board is the operational name of
Hywel Dda Local Health Board

 

 

References

Visible links
1. mailto:[email address]

Dear Hywel Dda University Health Board,

Please pass this on to the person who conducts Freedom of Information reviews.

I wish to refine my request (1) and to request an internal review (2).

(1). Please provide the number of unauthorized accesses made by each of the 6 individuals who accessed patients' records without a legitimate work reason to do so.

(2). I have been provided with no evidence to justify your use of section 41 FOIA to withhold information on how the 6 delinquents identified were dealt with. Were they not snared by staff responsible for the NIIAS system?

Anyhow, my understanding is that although section 41 is an absolute exemption and therefore not subject to a public interest test under the FOIA, the common law duty of confidence contains an inherent public interest test.

I contend that there is an overwhelming public interest in finding out how individuals who access hospital records they should not, records containing sensitive personal data, are disciplined. Rogue staff could, for example, be selling harvested data to insurance or private health companies who in turn contact vulnerable patients. Alternatively, they could be obtaining information that could be used to blackmail people. The release of the information would allay public concerns and benefit the public.

A full history of my FOI request and all correspondence is available on the Internet at this address: https://www.whatdotheyknow.com/request/s...

Yours faithfully,

D. Moore

Dear Katie Diong (Hywel Dda UHB - Freedom of Inforamtion Officer),

I sent you this internal review request on 8 August and am wondering how things are progressing. I have received nothing to acknowledge its receipt:

"Please pass this on to the person who conducts Freedom of Information reviews.

I wish to refine my request (1) and to request an internal review (2).

(1). Please provide the number of unauthorized accesses made by each of the 6 individuals who accessed patients' records without a legitimate work reason to do so.

(2). I have been provided with no evidence to justify your use of section 41 FOIA to withhold information on how the 6 delinquents identified were dealt with. Were they not snared by staff responsible for the NIIAS system?

Anyhow, my understanding is that although section 41 is an absolute exemption and therefore not subject to a public interest test under the FOIA, the common law duty of confidence contains an inherent public interest test.

I contend that there is an overwhelming public interest in finding out how individuals who access hospital records they should not, records containing sensitive personal data, are disciplined. Rogue staff could, for example, be selling harvested data to insurance or private health companies who in turn contact vulnerable patients. Alternatively, they could be obtaining information that could be used to blackmail people. The release of the information would allay public concerns and benefit the public. "

Yours sincerely,

D. Moore

Katie Diong (Hywel Dda UHB - Freedom of Information Officer), Hywel Dda University Health Board

Dear D Moore

 

Information Requested Under The Freedom Of Information Act 2000

 

Thank you for your recent request for the supply of information regarding
data breaches identified by NIIAS.

 

Please accept my apology for a lack of earlier response, both myself and
my colleague have checked our emails and have been unable to locate your
previous email. We would encourage any future correspondence into the UHB
for the attention of the Freedom of Information Officer to be sent to our
dedicated FOI email inbox at [1][Hywel Dda LHB request email]

 

Under the Act, the Health Board is required to supply the information to
you within 20 working days.  In terms of your request, this means that the
information should be provided by 27/10/2017.  If this is not possible, a
further letter will be sent advising you of the progress made in
satisfying your request.

 

Please find enclosed our leaflet giving guidance on our procedure for
managing requests for information that is covered under the Freedom of
Information Act 2000.

 

Yours sincerely

 

Katie Diong

Freedom of Information Officer/Swyddog Rhyddid Gwybodaeth

Hywel Dda University Health Board/Bwrdd Iechyd Prifysgol Hywel Dda

Corporate Offices

Ystwyth Building/Adeilad Ystwyth

Hafan Derwen

St David's Park/Parc Dewi Sant

Job's Well Road/Fynnon Job

Carmarthen/Caerfyrddin

Carmarthenshire/Sir Gaerfyrddin

SA31 3BB

 

Rhif Ffôn / Telephone Number: 01267 239670 (WHTN 01825 4670)

E-bost: Email: [2][email address]

 

Bwrdd Iechyd Prifysgol Hywel Dda yw enw gweithredol Bwrdd Iechyd Lleol
Hywel Dda / Hywel Dda University Health Board is the operational name of
Hywel Dda Local Health Board

 

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit [3]http://www.symanteccloud.com
______________________________________________________________________

 

The BMA is the voice of doctors and medical students in the UK.

We are an apolitical professional association and independent trade union,
representing doctors and medical students from all branches of medicine
across the UK and supporting them to deliver the highest standards of
patient care.

References

Visible links
1. mailto:[Hywel Dda LHB request email]
2. mailto:[email address]
3. http://www.symanteccloud.com/
4. http://www.bma.org.uk/
5. http://www.bma.org.uk/

Katie Diong (Hywel Dda UHB - Freedom of Information Officer), Hywel Dda University Health Board

1 Attachment

Dear Sir/Madam,

 

Please accept my sincere apologies for the delay in my response.

 

Find attached the response to the request you made for information under
the Freedom of Information Act.

 

Please note: we have split your refined request and request for internal
review, which will be responded to under separate cover.

 

Yours Sincerely,

 

Katie Diong

Freedom of Information Officer/Swyddog Rhyddid Gwybodaeth

Hywel Dda University Health Board/Bwrdd Iechyd Prifysgol Hywel Dda

Corporate Offices

Ystwyth Building/Adeilad Ystwyth

Hafan Derwen

St David's Park/Parc Dewi Sant

Job's Well Road/Fynnon Job

Carmarthen/Caerfyrddin

Carmarthenshire/Sir Gaerfyrddin

SA31 3BB

 

Rhif Ffôn / Telephone Number: 01267 239670 (WHTN 01825 4670)

E-bost: Email: [1][email address]

 

Bwrdd Iechyd Prifysgol Hywel Dda yw enw gweithredol Bwrdd Iechyd Lleol
Hywel Dda / Hywel Dda University Health Board is the operational name of
Hywel Dda Local Health Board

 

References

Visible links
1. mailto:[email address]

Katie Diong (Hywel Dda UHB - Freedom of Information Officer), Hywel Dda University Health Board

Katie Diong (Hywel Dda UHB - Freedom of Information Officer) would like to recall the message, "FOI 388 17 - Final Response".

Katie Diong (Hywel Dda UHB - Freedom of Information Officer), Hywel Dda University Health Board

1 Attachment

Dear Sir/Madam,

 

Please accept my sincere apologies for the delay in my response.

 

Find attached the response to the request you made for information under
the Freedom of Information Act.

 

Please note: we have split your refined request and request for internal
review, which will be responded to under separate cover.

 

Yours Sincerely,

 

Katie Diong

Freedom of Information Officer/Swyddog Rhyddid Gwybodaeth

Hywel Dda University Health Board/Bwrdd Iechyd Prifysgol Hywel Dda

Corporate Offices

Ystwyth Building/Adeilad Ystwyth

Hafan Derwen

St David's Park/Parc Dewi Sant

Job's Well Road/Fynnon Job

Carmarthen/Caerfyrddin

Carmarthenshire/Sir Gaerfyrddin

SA31 3BB

 

Rhif Ffôn / Telephone Number: 01267 239670 (WHTN 01825 4670)

E-bost: Email: [1][email address]

 

Bwrdd Iechyd Prifysgol Hywel Dda yw enw gweithredol Bwrdd Iechyd Lleol
Hywel Dda / Hywel Dda University Health Board is the operational name of
Hywel Dda Local Health Board

 

References

Visible links
1. mailto:[email address]

Katie Diong (Hywel Dda UHB - Freedom of Information Officer), Hywel Dda University Health Board

1 Attachment

Dear Sir/Madam,

 

Please accept our sincere apologies for the delay in our response. Find
attached the response to the request you made for information under the
Freedom of Information Act.

 

Yours Sincerely,

 

Katie Diong

Freedom of Information Officer/Swyddog Rhyddid Gwybodaeth

Hywel Dda University Health Board/Bwrdd Iechyd Prifysgol Hywel Dda

Corporate Offices

Ystwyth Building/Adeilad Ystwyth

Hafan Derwen

St David's Park/Parc Dewi Sant

Job's Well Road/Fynnon Job

Carmarthen/Caerfyrddin

Carmarthenshire/Sir Gaerfyrddin

SA31 3BB

 

Rhif Ffôn / Telephone Number: 01267 239670 (WHTN 01825 4670)

E-bost: Email: [1][email address]

 

Bwrdd Iechyd Prifysgol Hywel Dda yw enw gweithredol Bwrdd Iechyd Lleol
Hywel Dda / Hywel Dda University Health Board is the operational name of
Hywel Dda Local Health Board

 

References

Visible links
1. mailto:[email address]