• 💖 [Donate To Keep MyPTSD Online] 💖 Every contribution, no matter how small, fuels our mission and helps us continue to provide peer-to-peer services. Your generosity keeps us independent and available freely to the world. MyPTSD closes if we can't reach our annual goal.

Letter from hospital - is this a privacy breach?

Status
Not open for further replies.
barefoot

barefoot

MyPTSD Pro
I received a letter from a hospital today saying that they have received a referral from my GP and I’ve now been added to the waiting list for an initial outpatient appointment so can I please call them to make that appointment.

The odd thing is that the letter was addressed to someone else - to a man with my surname. So, I almost just threw the envelope into the recycling initially but then, because the surname was the same as mine, I opened it.

So, the letter is addressed to this random man who shares my surname. Plus the NHS number quoted on the letter wasn’t mine either so presumably it is his.

I called the hospital. They asked for my hospital number (which is given on the letter). I told her the number and then explained the mistake (wrong first name - and gender - and wrong NHS number in the letter) but said the surname and address is correct and that I am waiting for a letter like this from them. She then confirmed that the hospital number wasn’t mine either.

She couldn’t find my referral on the system and couldn’t then make my appointment. And she didn’t seem to know what to do about the mix up. Said she would speak to her supervisor who would phone me back. But no one has.

I’m feeling frustrated about this because none of my dealings with this hospital have been straightforward - though, to be fair, this is my first dealing with this department. I
just want to make the bloody appointment!

But I also feel quite anxious about this mix up because it doesn’t feel very safe in terms of privacy and confidentiality etc.

I’m not sure whether they have merged this man’s first name with my surname or whether the mix up has somehow occurred because we do have the same surname.
If it’s the latter, I now have this man’s first name and surname and NHS number. And I guess it is then very possible that he has received mine.

I don’t know whether it is possible for anyone to do something dodgy with this info (name and NHS number) if they wanted to or if it is a completely harmless combination of data to have.

It just really bothers me that they have been so careless. I know people make mistakes. But this just seems like such a basic thing to get right - sending a hospital letter to the correct person at the correct address with the correct NHS and hospital numbers?

Is it bad that I have this info (and that someone else maybe has mine)? Should I...I don’t know...report it or something?!
Or is it just an irritating but completely harmless clerical error?

Can anyone advise at all?

Thanks!

ETA: there isn’t any confidential medical information contained in the letter. It just says which department it is for and says about making an appointment.
 
I don't know very much about your health care system, so I can really only speak to what I know about the system where I am.

In my system this would be a reportable incident, and because the leaked info includes name, health care number, and department, it would be considered a significant breach because the patient and their health condition are identifiable. If the media or social media here got wind of something like this, the shit would definitely hit the fan.

I hope this can get sorted out without you having to jump through hoops, and that you can get your appointment booked.
 
If it is the same sort of Patient Administration System as I used to use, someone has searched for you by surname, picked up the wrong record and assumed a change of address. The man won't have had your details, as your referral is sitting on his record. Most likely to happen if you have no record at that Trust.

It's basic incompetence to make the error, and lack of training for the person you spoke to not to realise what happened and be able to resolve it, so I'd go for a formal complaint to the head of Outpatient Services, but I don't think there is any risk to your data. In the short term, you could contact PALS to get someone to act. You should remind them to ensure the referral goes on with the right start date - the date they received it NOT the date they sort out the mess- or you will wait longer.
 
That’s what I’ve been thinking @Suzetig - GDPR has been inescapable over the past weeks and months so I’m shocked that they’ve been this careless at this time of all times.

Thanks @Sandstone - it is at least reassuring to know that he may not have received my data and that you think it’s unlikely that there’s any risk to my data. I have been worrying about that - worried that if someone else received the equivalent of my information that they could use it in some sinister way.

The woman I spoke to on the phone today seemed confused then went very quiet then said she would have to get her supervisor to call me back. So I think she may have realised that this was a bad mess and decided to refer it to her boss for her to handle? And I don’t think she could find me on the system anyway, so I guess she thought there wasn’t anything she could do about it in practical terms? (In terms of getting my record corrected or getting my appoint,ent booked in) I do have a record at that trust/hospital. But in a different department,...so maybe I don’t already have one in this department of they are all separate systems not centralised.

Can I actually make a complaint to the hospital / the Information Commissioner’s Office / contact PALS if I don’t know whether my data has been sent anywhere? Or am I making a complaint / reporting it because they have breached someone else’s data to me?

@Sandstone - so, if what you think happened has happened with the record/change of address etc mix up, there is a man with the name on my letter, so I have his full name and his NHS number? It’s not likely that his first name and my last name have somehow been merged into a new hybrid name?!

And also @Sandstone - sorry, my brain is being a bit slow tonight...if I contact PALS what am I asking them to act on? To help get my appointment booked in? Or to report the breach? Or…?

Thanks for the help with this.
 
barefoot said:
Can I actually make a complaint to the hospital / the Information Commissioner’s Office / contact PALS if I don’t know whether my data has been sent anywhere? Or am I making a complaint / reporting it because they have breached someone else’s data to me?
Click to expand...
Yes, the complaint is in relation to the data breach, you received someone else’s data in error so you have every right to complain because it undermines your faith that your own data is safely held - which was the whole point of the gdpr review.
 
Thank you @Suzetig - that makes sense.

One final question - if the woman or the supervisor calls me back, what do I do? Do I say I want to make a complaint and ask what their procedure is/who to contact etc? Or do I ignore that and just focus on getting my appointment sorted and then make a complaint/report it afterwards?

Sorry - feel a bit pathetic asking all these questions as though I’m totally incapable of having a single thought of my own! Think I am more rattled by this than I first thought!
 
If the supervisor didn't call me back in a reasonable amount of time (end of business day), I'd look up online how to go about reporting it, which I'd do first thing tomorrow.

Not because I'd be super worried about a beach, I'm sure it's just a clerical error, but if the problems with data security systems aren't reported, no one will know there's a problem.
 
barefoot said:
if what you think happened has happened with the record/change of address etc mix up, there is a man with the name on my letter, so I have his full name and his NHS number? It’s not likely that his first name and my last name have somehow been merged into a new hybrid name?!

And also @Sandstone - sorry, my brain is being a bit slow tonight...if I contact PALS what am I asking them to act on? To help get my appointment booked in? Or to report the breach? Or…?
Click to expand...

It would be much harder to merge two records with partial names - it can be done,largely because people turn up at A&E using multiple names, but you would notice you were doing it, especially if both records had activity on them, whereas picking up the (wrong) record and changing the address is everyday activity.

barefoot said:
if the woman or the supervisor calls me back, what do I do? Do I say I want to make a complaint and ask what their procedure is/who to contact etc? Or do I ignore that and just focus on getting my appointment sorted and then make a complaint/report it afterwards?
Click to expand...
Personally I'd find it hard to keep on an even keel after saying I wanted to make a complaint, so I'd focus on finding out what had happened and how they were going to resolve it, then make the complaint separately. You might be better at handling conflict though. You could also ask for the contact details of the Trust's Caldicott guardian, or find them via the spreadsheet at Our services - NHS Digital

I'd go to PALS just to get the appointment booked . They are usually very effective at unblocking logjams. They will probably encourage you not to complain, but you can ignore that.
barefoot said:
Think I am more rattled by this than I first thought!
Click to expand...
Yes, medical stuff is tricky anyway; throw in identity confusion as well and I'd be wobbling.
 
@barefoot - I am not in your system of health care. But I'd suggest pushing through all the mess and getting that appointment before you get bogged down in a complaints process. Keep the dodgy letter and find out why they have not received your referral first imo.
 
Ok, so I think I’m going to:

1) phone the hospital back (may not be able to do that til Monday) and ask whether they have tracked down my referral letter. I’m not sure whether they haven’t received it at all or whether they have but it just hasn’t been uploaded onto the system yet. Or are referrals all done on an online system anyway, in which case, if it’s not on the system, they haven’t got it at all?! I have a copy of my GP’s referral letter, which is dated about a month ago.

2) if they have got it I will get my appt booked in.

3) if they haven’t got my referral, ask them about that. And, if I don’t get anywhere, contact PALS to see if they can chase it.

4) after appt is booked, ask them about the error and how that happened and ask what they are going to do about that now. I’m thinking they are supposed to report it themselves as a breach?

ETA:

I should probably also add:
5) ask what their complaints procedure is. Then submit a complaint. And probably also report it to ICO. Making a complaint/reporting it feels quite anxiety-making so I’m going to try not to think about that for now and just focus on sorting the appointment first and hearing what they have to say about the breach.
 
Last edited:
Status
Not open for further replies.

Similar threads

B
Relationship Seeking Relationship Advice, Girlfriend (PTSD) triggered and broke up with me
Replies
4
Views
407
Sweetpea76
Sweetpea76
S
Terminated by therapist and unsure if I should send a formal complaint?
Replies
4
Views
1K
Sideways
Sideways
R
The way your child-self associated your abusers with movie villains
Replies
6
Views
634
Roland
R
EveHarrington
I’m Going To Be Discharged From A Partial Hospitalization Program (Day Program) in a Few Days and I’m Worse Than When I Started
2
Replies
12
Views
1K
Charbella
Charbella
EveHarrington
Therapy Was A Bust
Replies
8
Views
1K
EveHarrington
EveHarrington
Back
Top