Personal data of 600,000 patients was sent to the US following a mistake by the NHS IT provider, GE Healthcare. Under the Data Protection Act (DPA) details cannot be sent outside the European Union without safeguards in place. An internal review revealed GE Healthcare had obtained more patient data from their diagnostic imaging products than they needed to perform services for their customers. GE Healthcare regularly obtain data to help ensure product reliability and to deliver related services.
Following this data breach GE Healthcare undertook an extensive internal analysis They are confident that data was not lost, hacked, misused or stolen. Disclosed data included ID numbers, initials, gender, height, weight, age and clinical information. Despite the problem being discovered last year the relevant watchdogs have only recently been informed.
The ICO told TechWeekEurope that GE Healthcare had informed them about an issue and is quoted as saying:
"Our understanding is that the issue was identified by the company and they are currently working to fix the problem… it does not appear that any personal data has been compromised… we do not anticipate taking any further action at this stage."
The ICO's seemingly relaxed attitude is perhaps surprising given its tough handling of other data breaches, previously labelling the NHS as the worst offender, as well as its warning that organisations must do more to prevent inadvertent disclosures happening.
The ICO promises to continue to advise GE Healthcare on the obligations they must meet under the DPA and they will take action if necessary.