Manx Care has been hit with an Enforcement Notice from the island’s Information Commissioner due to several data breaches.
The health service has failed to comply with GDPR regulations, resulting in a number of data breaches over the last six months.
In one case, ‘the unencrypted medical record of a patient was emailed to circa 2,200 email recipients’.
The report states that the organisation is aware that it has failed to implement appropriate technical and organisation measures to ‘ensure a level of security appropriate to the risk’.
It appears that ‘special category data [was] sent in email communications and attachments’, causing damage and distress to patients.
The enforcement notice gives Manx Care four months from the issue date of the Enforcement Notice (February 25, 2022), to:
l Bring its processing activities into compliance with the Applied GDPR;
l Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk... with particular emphasis on, but not restricted to, special category data currently sent in email attachments;
l Implement appropriate technical and organisational measures to prevent further personal data breaches caused by the use of insecure methods of communication.
The board was also given six weeks to inform the commissioner how it intends to put these measures in place, and a timeline for doing so.
Failure to comply with the enforcement notice could result in a fixed penalty, with a maximum fine of £1,000,000.
The Examiner asked Manx Care for a comment regarding the enforcement notice.
In response, it said: ‘In view of enforcement action which relates to a period from April to December 2021, Manx Care and the Manx Care board recognise significant work is necessary to remediate the information governance risks and challenges Manx Care currently faces, and we are committed to getting this right moving forward.
‘We can confirm that a programme of work has commenced, overseen by the Manx board and in conjunction with Cabinet Office Transformation Programme, to make all of the necessary improvements identified within the external review undertaken by KPMG as part of the Transformation Programme.’