Sensitive patient data was shared on WhatsApp by at least 26 healthcare staff members in Scotland, resulting in over 500 verified instances of data disclosure. The data shared included names, addresses, images, videos, and screenshots, as well as clinical information of the individuals involved. However, the most concerning aspect was the unauthorized disclosure of personal data to an individual who was not part of the medical staff, and had been mistakenly added to the WhatsApp group.
The Information Commissionerās Office (ICO), the UKās data protection authority, announced this incident and has warned the responsible healthcare authority, NHS Lanarkshire. This organization serves a population of over 652,000 people in the council areas of North Lanarkshire and South Lanarkshire. The ICO emphasized that while WhatsApp is approved for basic communication among public health service employees in Scotland, it should not be used for sharing sensitive data, particularly when it involves the health status of patients.
During the investigation, it was found that NHS Lanarkshire had not provided clear policies and guidelines for the protection of privacy when using WhatsApp. Additionally, there was no assessment conducted on the potential risks associated with sharing patient data through the messaging app. Although the Scottish health service has not faced sanctions yet, they will be required to comply with prescriptions and recommendations made by the ICO.
John Edwards, the Director of the ICO, stated that while the healthcare professionals have been under immense pressure during the pandemic, there is no excuse for data protection standards to slip. Patient data must be handled with care and security, and people should be able to trust that their data is in safe hands when accessing healthcare services.
The issue of using WhatsApp for professional communication extends beyond Scotland. In Italy, WhatsApp is the most popular communication tool among healthcare professionals, with 84.3% of doctors using it compared to only 14.5% using Telegram or Messenger, according to a recent survey. The survey highlights the need for further evaluations and measures to ensure the protection of personal data when using these messaging apps in a professional setting.
The incident in Scotland serves as a reminder that even in a digital age, healthcare organizations must prioritize the proper protection of patient data. With the transition to digital platforms, it is crucial to implement organizational and technical measures to ensure compliance with data protection regulations such as the GDPR. Nicola Bernardi, president of Federprivacy, emphasizes the need for healthcare professionals to carefully evaluate and adopt secure technological tools to protect personal data in their daily practices.