NHS Lanarkshire has been reprimanded by a watchdog after staff members shared patients’ personal data on WhatsApp hundreds of times.
The Information Commissioner’s Office (ICO) reported that personal information such as patient names, phone numbers and addresses were shared by 26 staff members on more than 500 occasions.
Images, videos and screenshots – which included clinical information – were also shared on the messaging platform.
The sensitive data was leaked between April 2020 and April 2022.
NHS Lanarkshire had apologised to those affected.
While WhatsApp is approved for NHS workers for basic communication, it is not approved by the health board for sharing sensitive data.
A non-staff member was also added to the WhatsApp group by mistake, resulting in the disclosure of personal information to an unauthorised individual.
Once NHS Lanarkshire became aware, it reported the incident to the ICO.
An investigation was subsequently launched, which concluded that the health board did not have the appropriate policies, clear guidance and processes in place when WhatsApp was made available to download.
This meant that NHS Lanarkshire had no assessment of the potential risks relating to sharing patient data in this way.
UK Information Commissioner John Edwards said: “Patient data is highly sensitive information that must be handled carefully and securely. When accessing healthcare and other vital services, people need to trust that their data is in safe hands.
“We appreciate that NHS Lanarkshire, like all healthcare providers, was under huge pressure during the pandemic but there is no excuse for letting data protection standards slip.
“Every healthcare organisation should look at this case as a lesson learned and consider their own policies when it comes to both messaging apps and processing information about patients.
“We will be following up with NHS Lanarkshire to ensure that patient data is not compromised again.”
The ICO issued a number of recommendations to prevent future data breaches, including implementing a secure clinical image transfer system for the storage of images and videos within a care setting.
The watchdog added that NHS Lanarkshire should “consider the risks” in relation to personal data and ensure that staff are “aware of their responsibilities to report personal data breaches internally without delay to the relevant team”.
The health board – which has been asked to provide an update of action taken within six months – said it has already taken a number of steps.
Trudi Marshall, nurse director, health and social care North Lanarkshire, said: “We have received a formal reprimand from the ICO for the use of WhatsApp by one of our community teams to exchange personal patient data during the pandemic.
“We recognise that the team took this approach as a substitute for communications that would have normally taken place in either a clinical or office setting, but was not possible at that time due to COVID restrictions.
“However, the use of WhatsApp was never intended for processing patient data.
“We offer our sincere apologies to anyone whose personal details were shared through this group.
“We have already taken a number of steps including looking at alternative apps that can be introduced for the transfer and storage of images and videos within a care setting.
“This is being taken forward while considering the risks relating to the storage of any personal data.”