An MDDUS adviser receives a distressed call from a Dr B who is a community paediatric specialist registrar. She has been summoned to a disciplinary hearing of her employing foundation hospital trust to answer to an allegation of breached patient confidentiality.
A data stick belonging to Dr B had been found by a cleaner in a local health centre and had been returned to the director of postgraduate training. On the unencrypted data stick were a number of named patient assessments with details of a highly confidential nature.
On being confronted, Dr B admitted that she had first suspected the USB stick might be missing a week before it was found. But she had been convinced the stick was somewhere in her flat and would “eventually turn up”. Only after four or five days had Dr B begun to grow increasingly worried and decided to look for it in a few “logical” places, including the health centre, before reporting it missing.
A letter from the trust confirms that Dr B had been made aware of the trust’s security policy and had attended an induction session where it was made explicit that personal data keys were prohibited items for use in storing patient data. In the same session it was made clear that any loss of confidential data must be reported immediately to the trust and an educational supervisor.
Analysis and outcome
The MDDUS adviser accompanies Dr B to the disciplinary hearing where a number of issues are raised. Evidence is provided that Dr B failed to maintain the security of the information on the stick by having it encrypted with password protection and failed to ensure that the disk itself was kept in a safe place. But even more fundamental she breached trust policy in the first place by using a personal USB stick to store highly confidential information.
In addition Dr B did not report the stick missing until after it was found by the cleaner.
Dr B is found to be in serious breach of trust policies and procedures in relation to patient confidentiality and data security. She is issued with a final written warning and is subject to additional supervision in regard to issues of probity and patient confidentiality.
The matter is also referred to the GMC and two case examiners conduct an investigation resulting in a formal Rule 11 warning from the regulator.
• Ensure you know and follow the data security policy and procedures of your employing trust or health authority.
• Use only authorised encrypted USB drives or other devices to store confidentially patient information.
• Authorised USB data devices should in general only be used on an exceptional basis where it is essential to store or temporarily transfer data.