UK hospital reports itself after 40 staff accessed crocodile attack victim’s records
Cambridge University Hospitals is investigating a potential data breach after 40 people were found to have accessed the medical records of a three-year-old who was allegedly thrown into a crocodile pit last week, and has reported itself to the UK’s data watchdog, the ICO.
-
A viral news story triggered a data breach inside the hospital treating the victim. Forty staff accessed the medical records of the Cambridgeshire Zoo toddler, prompting Cambridge University Hospitals to self-report to UK regulator ICO.
-
"I could access it" is not a legal defense. Having system access to a record is not the same as having a legitimate reason to view it – unauthorized access, even out of curiosity, is a criminal offense under UK data law.
-
High-profile cases are a known flashpoint for insider breaches. The ICO is now pressing healthcare leaders to get ahead of the risk with proactive controls, not just reactive discipline.
In an incident that captured worldwide attention, the boy, who hasn’t been named, was thought to have been pushed off a raised platform at a Cambridgeshire Zoo enclosure from a 4.5-meter drop.
It has been reported that he was attacked by at least one crocodile.
The toddler was taken to Addenbrooke's Hospital on Thursday last week, and police said that they had arrested a 30-year-old man for attempted murder, who was later released on bail.
Legitimate access probe
The focus has now turned to why 40 members of hospital staff accessed the child's medical records during his treatment.
The hospital announced on Wednesday that it has referred itself to the Information Commissioner's Office (ICO) and is exploring whether there were legitimate reasons for the records to be accessed
A CUH spokesperson said: "We have strict policies in place to safeguard patient data, and we take any breach extremely seriously.
"We know the vast majority of our 13,000 staff understand the fundamental importance of maintaining patient confidentiality and upholding the highest professional standards.
"Where any member of staff is found to have accessed patient records without legitimate clinical or operational reasons, we take robust disciplinary action, including dismissal.
"As part of our response to any breach, we notify both the ICO and apologize to patients and their families affected."
“Curiosity is not an excuse”
In a separate incident, a healthcare worker at a London clinic who tried to sell the Princess of Wales's private medical records was cautioned by the ICO earlier this month over the "deliberate misuse" of those records for financial gain.
In that case, the ICO concluded that “a caution was the appropriate and proportionate enforcement response."
On Monday, the watchdog’s chief, Paul Arnold, reminded healthcare staff that it was illegal to look at medical records without a legitimate reason.
In a blog post titled “Curiosity is not an excuse,” Arnold wrote that when a local incident becomes national news, there is a greater risk that staff may be tempted to access records they have no legitimate reason to view.
As a reminder, he said, “having the ability to view a record is not the same as having a legitimate need to do so.”
Strong password generator
Arnold added that knowingly or recklessly accessing personal data without authorization is against the law and appealed to senior leaders to remind staff of their responsibilities towards patient confidentiality.
“Ask yourself honestly whether your organization is doing enough to prevent unauthorized access before it happens.”
Unlock more exclusive Cybernews content on YouTube.
