Central London Community Healthcare NHS Trust has been fined £90,000 by the Information Commissioner's Office (ICO) after patient lists were faxed to the wrong recipient.
The incident occurred at the end of March 2011 when patient lists from the Pembridge Palliative Care Unit, intended for St John's Hospice, were faxed erroneously.
An administrator at the Pembridge Palliative Care Unit was asked to send its inpatient lists to an additional fax number to ensure that service provision was unaffected during the absence of an out-of-hours doctor.
A second number was added to the coversheet and the standard practice of calling the hospice to confirm receipt was followed, but the recipient was only confirming receipt of the inpatient list sent to the fax number contained in the fax protocol and not that sent to the second fax number. As a result, the administrator continued to send the inpatient lists to the second fax number.
Around a week later, a member of the public informed the administrator that he had been receiving the inpatient lists and had shredded them; during this period the administrator had sent approximately 45 fax transmissions intended for the hospice.
The inpatient lists contained confidential and sensitive personal data relating to 59 individuals in total, many of whom were receiving palliative care; this included medical diagnoses, information about patients' domestic situation and resuscitation instructions.
The ICO's investigation found that the trust also failed to provide sufficient data protection guidance and training to the member of staff concerned.
Stephen Eckersley, the ICO's head of enforcement, said: “Patients rely on the NHS to keep their details safe. In this case the NHS trust failed to keep its patients' sensitive information secure. The fact that this information was sent to the wrong recipient for three months without anyone noticing makes this case all the more worrying.”