£60,000 fine for NHS trust that sent test results to the wrong address

Fourth fine in two months for breach-prone NHS trusts

A health trust in London has been fined £60,000 by the Information Commissioner's Office (ICO) for sending sensitive medical test results to the wrong mailing address.

St George's Healthcare NHS Trust in South London was issued with the penalty after it sent out two letters in May 2011 to the old address of a vulnerable patient. The letters contained sensitive medical details.

The fine is the latest in a string of cases in the NHS of careless handling of sensitive information and data.

The ICO's investigation found that the individual's current address had been provided to the trust's staff before the medical examination took place. Additionally the correct address had been logged on the national care records service, known as NHS SPINE, in June 2006.

The case highlights the importance of organisations, especially ones dealing with sensitive information, making sure that their contact databases are up-to-date.

The mistake was made after the Trust's staff failed to use the address supplied before the examination, or check that the individual's recorded address on their local patient database matched the data on the SPINE. The Trust had set up a prompt to remind staff about the need to check and update patient information against SPINE; however the Trust knew the prompt could be bypassed and failed to take action to address the problem until it was too late.

"This breach was clearly preventable and is the result of the Trust's failure to make sure the contact details they have for their patients are accurate and up to date," said Stephen Eckersley, head of enforcement at the ICO. "This is the fourth monetary penalty we have issued to the NHS in the past two months. It is vital that these organisations make sure they have the necessary measures in place to keep patients' details secure."

The ICO said that the Trust has now taken action to make sure that the personal information it handles is secure. This includes making sure adequate checks are in place to ensure that local information the trust has for patients is correct, by cross-checking that information against SPINE and other relevant sources.