NHS staff shared patient data on WhatsApp

NHS Lanarkshire staff shared information about patients through an unauthorised WhatsApp group message, the Information Commissioner’s Office (ICO) has found.  

Personal data such as names, phone numbers and addresses of patients was shared by 26 members of staff over 500 times, as well as images and videos including clinical information.  

A non-staff member was also added to the group by accident, meaning personal information was disclosed to an unauthorised individual.  

The health board has apologised for the data leak that took place between April 2020 and April 2022.  

WhatsApp is an approved way for NHS staff to engage in basic communication. However, there is no such approval for sharing sensitive data.  

After being made aware of the WhatsApp group, NHS Lanarkshire reported the incident to the ICO, which conducted an investigation, concluding that the health board did not have the appropriate policies, clear guidance, or processes in place when WhatsApp was made available to staff members during the pandemic.  

Trudi Marshall, nurse director at Health & Social Care North Lanarkshire, confirmed it had received a formal reprimand for the use of WhatsApp by one of its community teams.  

She said: “We have received a formal reprimand from the ICO for the use of WhatsApp by one of our community teams to exchange personal patient data during the pandemic.  

“We recognise that the team took this approach as a substitute for communications that would have normally taken place in either a clinical or office setting but was not possible at that time due to Covid restrictions. However, the use of WhatsApp was never intended for processing patient data.  

“We offer our sincere apologies to anyone whose personal details were shared through this group.  

“We have already taken a number of steps including looking at alternative apps that can be introduced for the transfer and storage of images and videos within a care setting. This is being taken forward while considering the risks relating to the storage of any personal data.”  

John Edwards, UK information commissioner, said: “Patient data is highly sensitive information that must be handled carefully and securely.  

“When accessing healthcare and other vital services, people need to trust that their data is in safe hands.  

“We appreciate that NHS Lanarkshire, like all healthcare providers, was under huge pressure during the pandemic but there is no excuse for letting data protection standards slip.  

“Every healthcare organisation should look at this case as a lesson learned and consider their own policies when it comes to both messaging apps and processing information about patients.  

“We will be following up with NHS Lanarkshire to ensure that patient data is not compromised again.”  

The ICO has now recommended actions for NHS Lanarkshire to take to prevent similar future occurrences.  

One of the suggestions is that the health board should implement a secure clinical image transfer system for images and videos in a care setting. NHS Lanarkshire must also “consider the risks” about personal data and sure staff are “aware of their responsibilities to report personal data breaches internally without delay to the relevant team”.  

The health board has been asked to provide an update on the action taken within the first six months of the reprimand being issued.