Pharmacyrepublic Limited lost around 2000 patients personal details when a computer was stolen from their premises.
Pharmacyrepublic Limited contacted the ICO in September 2011 to report the theft of a Patient Medication Record (PMR) system. The system contained details of the medicine handed out to patients at one of its pharmacies, and was stolen while the pharmacy was being transferred to another provider. The system was supplied by another firm and Pharmacyrepublic failed to ensure that the system was securely returned to the company before leaving the premises.
The ICO’s investigation found that the system contained a limited amount of sensitive information relating to the medicine being administered to the pharmacies’ patients. The system was used to identify any problems when multiple drugs were administered to the same patient. The data hasn’t been recovered.
Stephen Eckersley, the ICO’s Head of Enforcement said:
“It is important that companies have measures in place to keep personal information secure at all times. If a company is vacating premises then they should ensure that any equipment used to store peoples’ data is handled correctly. In this case the system should have been returned to the wholesaler safely and securely.
“This incident should act as a warning to all healthcare providers – your data protection obligations do not end while the personal information of your patients remains on site and in your control.”
Personal Health Information(PHI) is a growing issue as pharmaceutical companies invest more and more money in clinical trials. In the US PHI is specifically covered by the Health Insurance Portability and Accountability Act (HIPAA) and in the UK and Europe it is handled by Data Protection Acts. An overview of PHI protection and governance is here.