Records Management

UK Child Care Service Breaches Act
Europe, Middle East and Africa

The United Kingdom (UK) Information Commissioners Office (ICO) has announced that the Telford and Wrekin Council has breached the Data Protection Act due to two instances of the disclosure of personal information about children, and has received a penalty notice (28 May 2012) for £90,000. In the first instance, a member of staff from Safeguarding Services sent the child’s Social Care Core Assessment to the child’s sibling instead of their mother who lived at the same address. In the second breach, the addresses of foster care placements of children were included in the Placement Information Record which was shown to the mother of the children, who noted the addresses. The ICO announced that the “council has now committed to taking action including providing Safeguarding Services staff with further training and support on data protection and information security as well as on using the Protocol system”. The council is also “introducing formal guidance on checking documents printed off the Protocol system, and making changes to its configuration”.

ICO’s media release (6 June 2012)
(Source: ICO)

Hospital Pays US$700,000 to Settle Data Breach

Massachusetts Attorney General Martha Coakley has announced that South Shore Hospital (SSH) has agreed to pay US$700,000 to settle a lawsuit in relation to an alleged failure to protect the health information of more than 800,000 patients.

The data breach occurred In February 2010 when South Shore Hospital (SSH) shipped three boxes containing 473 unencrypted back-up computer tapes with the personal information of 800,000 individuals to Archiva Data Solutions in Texas to have the tapes erased and resold. Only one box arrived at the destination. SSH did not inform Archive that there was protected data on the tapes, nor check whether it had sufficient safeguards to protect the information.

As part of the consent judgment SSH has also agreed to take steps regarding “its contracts with business associates and third-party service providers engaged for data destruction purposes” and has “agreed to undergo a review and audit of certain security measures and to report the results and any corrective actions to the Attorney General”.

Ms Coakley stated that “[h]ospitals and other entities that handle personal and protected health information have an obligation to properly protect this sensitive data, whether it is in paper or electronic form” and that “[i]t is their responsibility to understand and comply with the laws of our Commonwealth and to take the necessary actions to ensure that all affected consumers are aware of a data breach”. Attorney-General’s media release (24 May 2012)

Related news item:
Boston Business Journal: South Shore Hospital to pay $475K over patient data breach (24 May 2012)
(Source: Attorney-General; Boston Business Journal)

Health Service Loses USB, Pays $500,000

The Toronto Star reports that a proposed settlement has been reached in a class action lawsuit against Durman Region Health (DRH). The suit was reportedly based on “a nurse los[ing] a USB key laden with the unencrypted personal information of 83,524 people in December 2009″. The key, which reportedly “contained names, phone numbers, dates of birth, health card numbers and primary physician names of people vaccinated against H1N1 in eight clinics from [23 October - 15 December 2009]“, was “dropped somewhere between the regional headquarters parking garage and the building on [16 December 2009]“, and was never found. The proposed settlement reportedly involves DRH paying $500,000 in costs, disbursements and taxes, however DRH may also be required to make individual payments to those individuals who can show they were financially affected because their information was on the lost USB.

Toronto Star: Durham Region Health class action lawsuit puts price on personal information (28 May 2012)
(Source: Toronto Star)

UK Privacy Commissioner Fines Council £70,000 Over Privacy Breach
Europe, Middle East and Africa

The Information Commissioner’s Office (ICO) has announced that it has fined the London Borough of Barnet £70,000 “for losing paper records containing highly sensitive and confidential information, including the names, addresses, dates of birth and details of the sexual activities of 15 vulnerable children or young people”. The breach occurred when the documents were taken out of the office by a social worker, to work on at home. The social worker’s house was broken into and the documents were stolen. According to the ICO, “the council failed to take appropriate organisational measures against the accidental loss of personal data held on paper records”. ICO director of operations Simon Entwisle “it is vitally important that organisations have the correct guidance in place to keep sensitive paper records taken outside of the office safe”.

ICO’s media release (16 May 2012)
(Source: ICO)

Former BP Engineer Arrested on Obstruction Charges Related to Gulf Spill

Federal prosecutors have filed criminal charges against Kurt Mix, a former BP engineer, accusing him of destroying evidence related to the BP oil spill. According to an affidavit filed with the complaint, despite being told by BP to retain all documentation related to the well, Mix deleted more than 200 text messages that discussed the amount of oil that was leaking from the well and 100 other messages. Some of the messages indicated BP’s efforts to stop the leak were likely to fail because the amount of oil leaking from the well was higher than what BP had originally estimated. Legal analysts suggest that the prosecutors might argue that corporate officers wanted to hide the full extent of the spill to protect BP from fines and to support its stock price. Counsel for Mr. Mix said that the contents of the deleted messages were available in other information provided to the government. BP has agreed to a multibillion-dollar settlement with lawyers for individuals and businesses for monetary losses and medical claims. However, the company has not been cleared from criminal prosecution, which could lead to suspension or exclusion from government contracts. Federal prosecutors indicated there could be more prosecutions related to the explosion and oil spill. BP has stated that it is cooperating with the Department of Justice and other official investigations and would not comment on the case against Mr. Mix.

New York Times: Engineer Arrested in BP Oil Spill Case (24 April 2012)
(Source: New York Times)