Health board staff shared patient data on WhatsApp

Staff at NHS Lanarkshire shared the information of patients through an unauthorised WhatsApp group, the Information Commissioner's Office (ICO) has found.

The ICO found that personal information such as the names, phone numbers and addresses of patients were shared by 26 staff members on over 500 occasions.

Images and videos, which included clinical information, were also shared.

The health board apologised to any patients affected.

The ICO found that 26 members of staff at NHS Lanarkshire had access to a WhatsApp group where patient data was entered on more than 500 occasions, including names, phone numbers and addresses between April 2020 and April 2022.

A non-staff member was also added to the WhatsApp group by mistake, resulting in the disclosure of personal information to an unauthorised individual.

The social media platform was made available for staff to communicate during the pandemic, but only basic information was supposed to be shared. WhatsApp was not approved by NHS Lanarkshire for processing patient data and was adopted by staff without the organisation's knowledge.

Once NHS Lanarkshire became aware, it reported the incident to the ICO.

The health board's director of nursing, Trudi Marshall, said it had received a formal reprimand over the use of WhatsApp by one of its community teams.

"We recognise that the team took this approach as a substitute for communications that would have normally taken place in either a clinical or office setting, but was not possible at that time due to Covid restrictions.

"However, the use of WhatsApp was never intended for processing patient data."

Information Commissioner John Edwards told BBC Radio's Good Morning Scotland programme that the WhatsApp group was set up in April 2020 to deal with specific administrative purposes and crisis planning as staff were not in the office due to the Covid pandemic.

However, he said it gradually drifted from its initial purpose and members shared sensitive information which was not authorised.

Mr Edwards said: "There's no suggestion that the data was misused, that anybody acted unprofessionally with it - but it did expose the data to risk.

"I think the clear message for other boards is to really consider a risk assessment when deploying new technologies and new communications platforms."

The health board has taken a number of steps to introduce alternative apps for transferring and storing personal data.

"One thing that this case shows us is that the staff were being innovative themselves," he said.

"In some cases, they were sharing images which could be used for clinical purposes.

"That tells us that there is a demand for a secure image-sharing service and we've recommended that the NHS Lanarkshire board look at that."

The ICO's investigation concluded that NHS Lanarkshire did not have the appropriate policies, clear guidance and processes in place when WhatsApp was made available to download.

Mr Edwards raised concerns around discussing medical data in different communication channels.

"It is really important that there is a single health record that is available to everyone," he said.

"And if you're sharing clinical and diagnostic information on an unauthorised platform that doesn't find its way into the official patient record, that can put patients at risk."

NHS Lanarkshire has been reprimanded, but Mr Edwards decided against fining the health board and confirmed that the ICO was not investigating other health boards for similar breaches.

"We appreciate that NHS Lanarkshire, like all healthcare providers, was under huge pressure during the pandemic but there is no excuse for letting data protection standards slip.," he added.

"Every healthcare organisation should look at this case as a lesson learned and consider their own policies when it comes to both messaging apps and processing information about patients.

"We will be following up with NHS Lanarkshire to ensure that patient data is not compromised again."

By Aileen Clarke, BBC Scotland

The commissioner's report explains that there was someone who was added to the WhatsApp group who was not a member of NHS Lanarkshire staff, but was privy to this information.

But there is also a very practical concern about this kind of clinical WhatsApp group as well as just the security of such sensitive information.

The commissioner is saying that there is a real danger that information shared in this way among a particular group of people might not actually make it into the patient's medical records, and that could put the patient at risk.

The report noted that the images and videos were not held on any clinical systems, only in the WhatsApp group.

So as well as reprimanding NHS Lanarkshire it has also recommended that they seek out a secure way of storing photos and videos.

NHS Lanarkshire has offered apologies to anyone whose personal details were shared in this way.

I did ask the health board if it had checked to make sure there wasn't important information missed off the medical records of the patients involved.

It told me a review had been carried out and had found no issues with medical records.

It is also worth mentioning that the commissioner has decided not to fine the health board as he believes that will only take money away from patient care.

He just wants it to do better and is looking for an update in six months.