Tuesday, June 4, 2013

Penalty Too Lenient in UK Medical Data Theft?

Paul Hedges, a UK community fitness center health manager, stole medical information about 2471 clients to assist in establishing a business of his own. Prosecuted under the UK Data Protection Act, he was fined £3000, as well as a £15 victim surcharge and £1376 prosecution costs.

The consequences of this insider breach do not seem severe enough to a number of parties.

"Should a data controller have no responsibility for preventing an insider breach other than issuing login credentials to those authorized to access a database? What’s reasonable to expect of data controllers?." - PHIprivacy.net
For example, UK Information Commissioner Office's (ICO) Christopher Graham said “This case shows why there is a need for tough penalties to enforce the Data Protection Act. At very least, behavior of this kind should be recognized as a ‘recordable offense’ which it isn’t now. For the most serious cases the current ‘fine only’ regime will not deter and other options including the threat of prison should be available."

In the US such a case, according to PHIprivacy.net, would have “exceeding authorized access,” as well as criminal, charges, since this theft of sensitive information was for financial gain. What is your opinion? Do you agree with the ICO that financial penalties only will not deter data thefts?

Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) UK: Man made redundant fined for stealing sensitive information - www.PHIprivacy.net, 05/23/2013

No comments:

Popular Posts

Copyright © 2010-2017 by Veriphyr Incorporated, All Rights Reserved.

Contact us at Veriphyr.com.