Private Health Firm Fined £200,000 after IVF Patients’ Confidential Conversations Revealed Online

The Information Commissioner’s Office (ICO) announced yesterday that it had fined a private health company, HCA International Ltd, £200 000 for failing to keep fertility patients’ personal information secure. Back in April 2015, a patient found that transcripts of interviews with Lister Hospital IVF patients could be freely accessed by searching online.  A subsequent ICO investigation revealed that the hospital had been sending unencrypted audio recordings by email to a company in India since 2009 to be transcribed.  Unfortunately the Indian company could not restrict access to the personal information because it stored audio files and transcripts using an unsecure server.  The ICO therefore found that HCA International breached the Data Protection Act 1998 by failing to ensure that their sub-contractor acted responsibly. Sadly this incident is part of a wider trend, with the healthcare sector accounting for 46% of the self-reported data protection incidents handled by the ICO in 2015-16.  More generally though, it is a reminder to us all that you can outsource an activity but you cannot outsource the responsibilities to your stakeholders.

Related posts:

No related posts.

Share the Post:
what about alt text for the picture?13:22Claude responded: Helen Molyneux, founder of Cambridge Risk Solutions, ISO 22301 and ISO 27001 Lead AuditorHelen Molyneux, founder of Cambridge Risk Solutions, ISO 22301 and ISO 27001 Lead Auditor

Helen Molyneux is the founder and director of Cambridge Risk Solutions. A certified Lead Auditor for ISO 22301 and ISO 27001, she has spent nearly two decades helping organisations across the public and private sectors build genuine resilience — not just documented compliance. She writes from practice, not theory.

Work with us →