Staff at NHS Lanarkshire shared the information of patients through an unauthorised WhatsApp group, the Information Commissioner’s Office (ICO) has found.
The ICO found that personal information such as the names, phone numbers and addresses of patients were shared by 26 staff members on over 500 occasions.
Images and videos, which included clinical information, were also shared.
The health board apologised to any patients affected.
The ICO found that 26 members of staff at NHS Lanarkshire had access to a WhatsApp group where patient data was entered on more than 500 occasions, including names, phone numbers and addresses between April 2020 and April 2022.
A non-staff member was also added to the WhatsApp group by mistake, resulting in the disclosure of personal information to an unauthorised individual.
The social media platform was made available for staff to communicate during the pandemic, but only basic information was supposed to be shared. WhatsApp was not approved by NHS Lanarkshire for processing patient data and was adopted by staff without the organisation’s knowledge.
Once NHS Lanarkshire became aware, it reported the incident to the ICO.
Trudi Marshall, nurse director, health & social care North Lanarkshire, said: “We have received a formal reprimand from the ICO for the use of WhatsApp by one of our community teams to exchange personal patient data during the pandemic.
“We recognise that the team took this approach as a substitute for communications that would have normally taken place in either a clinical or office setting, but was not possible at that time due to Covid restrictions. However, the use of WhatsApp was never intended for processing patient data.”
‘A lesson learned’
The health board has taken a number of steps to introduce alternative apps for transferring and storing personal data.
The ICO’s investigation concluded that NHS Lanarkshire did not have the appropriate policies, clear guidance and processes in place when WhatsApp was made available to download.
Information Commissioner John Edwards said: “Patient data is highly sensitive information that must be handled carefully and securely. When accessing healthcare and other vital services, people need to trust that their data is in safe hands.
“We appreciate that NHS Lanarkshire, like all healthcare providers, was under huge pressure during the pandemic but there is no excuse for letting data protection standards slip.
“Every healthcare organisation should look at this case as a lesson learned and consider their own policies when it comes to both messaging apps and processing information about patients.
“We will be following up with NHS Lanarkshire to ensure that patient data is not compromised again.”
