NHS Lanarkshire has its knuckles rapped over staff use of WhatsApp to share sensitive patient data, which ultimately led to data leak
The Information Commissioner’s Office (ICO) issued the reprimand after finding 26 staff sent sensitive data to each other via the messaging app on more than 500 occasions.
The data – which was leaked between April 2020 and April 2022 – included patients’ names, phone numbers, addresses, images, videos, screenshots and clinical information.
A non-staff member was also added to the WhatsApp group in error, meaning they could have viewed the sensitive information.
While NHS staff are allowed to use WhatsApp for basic communication, it is not approved for sharing sensitive data.
NHS Lanarkshire was made aware of the issue and reported the incident to the ICO, who – after investigation – concluded the organisation did not have the appropriate policies, clear guidance or processes in place when WhatsApp was made available to download.
This meant NHS Lanarkshire had no assessment of the potential risks relating to sharing patient data.
John Edwards from the ICO said: “Patient data is highly sensitive information that must be handled carefully and securely.
“When accessing healthcare and other vital services, people need to trust their data is in safe hands. We appreciate NHS Lanarkshire, like all healthcare providers, was under huge pressure during the pandemic, but there is no excuse for letting data protection standards slip.
“Every healthcare organisation should look at this case as a lesson learned and consider their own policies when it comes to both messaging apps and processing information about patients.
“We will be following up with NHS Lanarkshire.”
The ICO has since recommended the health board take action to prevent future data breaches, suggesting it should implement a secure clinical image transfer system for the storage of images and videos within a care setting.
The watchdog said NHS Lanarkshire should “consider the risks” in relation to personal data and ensure that staff are “aware of their responsibilities to report personal data breaches internally without delay to the relevant team”.
The ICO asked NHS Lanarkshire to provide an update of action taken within six months of the reprimand being issued.
NHS Lanarkshire was contacted for comment.