Outcomes - Selected Case Summaries
Categories
HSA discloses PCR results to wrong person
Informal Resolution | 28 March 2022
The HSA suffered a personal data breach when a nurse on the Maternity Ward handed a copy of a PCR test result to the wrong patient. Both of the individuals were partners of patients of the Maternity Ward. The error involved sensitive personal data, including medical information. The recipient reported the error to the HSA.
The HSA confirmed that the erroneously sent document was destroyed, and apologized to the data subject. As a result of this breach, the HSA stated that it would review its Internal processes and an additional layer of checks would be added to ensure that documents are cross-checked against the visitor or patient’s ID prior to issuing printed results of PCR tests.
In the course of our review, we requested a copy of the revised procedures and queried whether patients were made aware of the option to sign up for the MyHSA portal to access their test results online, thus reducing the likelihood of this type of error re-occurring. After numerous follow-ups and significant delays, the revised procedure was eventually provided to us for review, and we found it to be compliant with the applicable seventh data protection principle. As all other requirements had been complied with, the case was closed with no further action.