06 February 2019 by Kirsty-Anne Jasper
Sir Alex Ferguson’s medical notes breach can teach us lessons about effective information governance
Crises of health when either we, or a loved one, needs medical treatment or even hospitalisation are a time when we all experience intense feelings of anxiety and stress. It is an intensely private time when people feel at their most vulnerable. Therefore, when details of the former Manchester United manager, Sir Alex Ferguson’s, medical records were accessed by members of staff at Salford Royal hospital, who had no responsibility for his care, it was a huge breach of trust and medical ethics and a situation which we should all sympathise with.
The hospital has acknowledged that following Sir Alex’s collapse at home last May – after suffering from a brain haemorrhage – there had been ‘an information governance breach’ and that it ‘apologised unreservedly to the patient and their family.’ Several members of staff are currently under investigation, which The Sunday Times reports includes; two doctors, a senior consultant and at least two nurses. None of these staff members are reported to have been involved in Ferguson’s care.
The unauthorised accessing of Sir Alex’s medical records have hit the headlines and while the trust has declined to name the patient at the centre of the controversy, it has confirmed that they have reported the alleged breaches to the Information Commissioner’s Office (ICO) and that a ‘HR process’ is currently underway.
Sir Alex spent four nights in Greater Manchester’s Salford Royal hospital‘s intensive care unit before receiving inpatient treatment for two weeks, being discharged in June 2018. There is no indication that he received anything but excellent care and following his return home from hospital Sir Alex released a video message where he said: ‘Hello. Just a quick message first of all to thank the medical staff at Macclesfield, Salford Royal and Alexandra hospitals.’
‘Believe me, without those people, who gave me such great care, I would not be sitting here today. So, thank you from me and my family. Thank you very much.’
The chief medical officer for the Northern Care Alliance NHS Group, which runs Salford Royal, Dr Chris Brookes, said: ‘We can confirm that a number of staff who work at Salford Royal are currently subject to investigation in relation to an information governance breach.’
‘All of our patients have the right to expect that their information will be looked after securely and accessed appropriately.’
‘We take patient confidentiality extremely seriously...and will take the appropriate action to ensure staff understand the seriousness of unauthorised access.’
“The outcome in the Sir Alex Ferguson case is not yet known but an individual case is unlikely to have further repercussions”
This is not the first time that Sir Alex’s medical records have been compromised. In 2011 former sports reporter Matthew Driscoll, told the Leveson Inquiry, that the News of the World’s sport’s editor had accessed Ferguson’s medical records by ‘blagging.’ He claimed that the information obtained through these activities was ultimately not published following discussions with Sir Alex who did not wish for the information to enter the public domain. Driscoll claimed that instead, the manger began co-operating with the paper. When asked by Lord Leveson if this was as part of a deal, Driscoll replied ‘You could definitely call it that.’
It’s easy to see the curiosity or potential for profit that may have motivated the individuals involved to spy on the medical records of a high-profile individual such as Sir Alex, but this is far from an isolated incident. In May 2018 it was reported that two members of staff from Ipswich Hospital were disciplined following unauthorized access to singer Ed Sheeran’s medical records. A medical staff member was given a written warning and a member of admin staff was sacked after both staff members ‘accessed patient information without legitimate or clinical reason,’ the hospital said.
They had been forced to review their policy on high profile patients following his admission, after it was revealed that several members of Ipswich Hospital staff had asked Sheeran to pose for photographs and sign autographs. The hospital stated that the review would cover ‘confidentiality, privacy of the patient and their loved ones and practical considerations.’
The problem of unauthorised staff accessing medical records and behaving inappropriately is not, however, limited to high profile patients. Repeated breaches had in fact become so large a concern that in August 2017 the ICO issued a public warning to the NHS about the ‘potentially serious consequences of prying into patients’ medical records without a valid reason.’
The warning followed the prosecution of former health care assistant Brioney Woolfe who was found by Colchester Magistrates’ Court to have accessed the records of 29 people including familymembers, colleagues and others where no connection is known, between December 2014 and May 2016. She subsequently shared some of the information gathered with others in breach of patient confidentiality and acting against the Data Protection Act.
Woolfe was fined £400 for the offence of obtaining personal data, and a further £650 for the offence of disclosing personal data. She was also ordered to pay a contribution of £600 towards prosecution costs, plus a victim surcharge of £65. At the time of the warnings issuance the Head of Enforcement at the ICO, Steve Eckersley, said ‘Once again we see an NHS employee getting themselves in serious trouble by letting their personal curiosity get the better of them.’
‘Patients are entitled to have their privacy protected and those who work with sensitive personal data need to know that they can’t just access it or share it with others when they feel like it. The law is clear and the consequences of breaking it can be severe.’
The public warning appears to have had limited success however, as since it was issued the ICO has fined or prosecuted four members of NHS staff in relation to accessing patients’ medical information without authorisation. Including as recently as September 2018 when former Southport and Ormskirk Hospital NHS Trust nurse Clare Lawson, was found to have inappropriately accessed the medical records of five patients, including accessing a friend’s blood test results 44 times alongside fetal scans.
Information governance breaches are commonly discussed in terms of complex data and online systems failures or hacks. The NHS failures, however, can all
be found to have a simple, unifying feature: employees.
Sometimes, as discussed above, this is due to willful neglect of the law, but on many other occasions it’s negligence or pure carelessness that is to blame. A 2011 Guardian report found that the majority of reported data breaches within the NHS were caused by staff losing devices or information, disposing of it inappropriately or giving out data in error. Either way the situation is simply not good enough with too many patients being compromised.
The outcome in the Sir Alex Ferguson case is not yet known but an individual case is unlikely to have further repercussions.
The introduction of the General Data Protection Regulation (GDPR) in May 2018 may have an effect. There’s no doubt that since its introduction the conversation around data, access and storage has increased and time will tell if it is successful in reducing breaches.
However, knowledge and education can only go so far. As long as people
are nosy or greedy medical records breaches are likely to occur. Further crackdowns are needed with increased prosecutions and fines. Otherwise the lure of being able to pass on a ‘juicy bit of gossip’ will continue to outweigh the potential consequences.