Fertility patients being treated at the Lister Hospital, part of the US-based HCA Healthcare group, discovered in April 2015 that transcripts of their confidential patient-doctor conversations were publicly available on the world wide web. After an investigation by the UK’s data protection authorities, HCA’s UK arm, was fined £200,000 for the hospital’s breach.
HCA Healthcare UK, the private hospital group, incurred a £200,000 fine – a significant amount of money but less than half the maximum they could have faced under the Data Protection Act of £500,000. However, HCA Healthcare UK can thank their lucky stars that the new EU-wide data protection regime (GDPR) isn’t in force yet.
GDPR, the General Data Protection Regulation, comes into force next year and brings with it much higher potential fines: up to €20m or 4% of global turnover – whichever is the biggest.
What happened at Lister Hospital serves as an example to all businesses as how easy it is to fall foul of the new data privacy legislations, and incur fines much larger than might be anticipated. It is also a reminder of how seriously regulatory authorities take the protection of sensitive data.
The events that led to the fine
Let’s recap the events at the Lister that led to the fine: From 2009 to 2015, the unencrypted recordings of discussions with patients at the Lister about their fertility treatments were sent to an audio transcription service in India.
No due diligence was done on how the transcription service would hold and safeguard the data. There was:
- no guarantee that the information would be kept in a secure manner
- no promise that the information would be deleted after the completed transcription were supplied
- no monitoring of the security of the data processor used
- no UK Data Protection Act compliant contract
In fact, the data was stored by the transcription service on an unsecured FTP server with no means to restrict the access to the transcripts or recordings subsequently.
It was from these servers that the data breach occurred – through a third party not being appropriately screened for compliance with healthcare privacy legislation.
Nor were emails encrypted. Even if you were to ignore the lack of due diligence by Lister Hospital in trusting the transcription service company, and in not having in place the legally required level of contract, there were still basic failings such as the emails that were sent in the first place. These should have been automatically encrypted based on any of destination address (Email policy), attachment file type (Data Control) or even based on message text (DLP). Whilst it would not have prevent these breaches, at least it would have ensured that data was sent to the service provider in a secure manner. But as it stood the transcript service was merely operating at a similar low level of security as the hospital itself.
Reflecting on the breach
The Lister and HCA Healthcare UK voluntarily reported the breach to the ICO as soon as they found it.
There’s no doubt they got off lightly thanks to the prevailing data protection framework in the UK.
- If this had happened at an HCA hospital in the US, the consequences could have been more serious. USA HIPAA legislation would apply, under which several penalties of more than $4m have been issued compared to the maximum £500,000 possible in the UK.
- If this happened after GDPR comes into force, HCA could have faced a fine of up to 4% of the total worldwide annual turnover of the preceding financial year or €20m. HCA’s revenue is at least $40bn, which means an eye-watering potential penalty of $1.6bn.
In reality it would be unlikely that the penalty would be anywhere near that size as this was not an endemic practice within the HCA group, plus they had reported the breach themselves. Despite those mitigating factors, data protection authorities take the leak of such sensitive data very seriously.
Data protection authorities are wise to sophisticated accounting measures that can produce an apparent near-zero profit in the local holding of a multinational – hence the decision to base fines on overall global turnover. In this case, the failure was in a local subsidiary.
My speculation is that even under GDPR, the penalty amount would take that into account, potentially meaning a fine much smaller than the threatened maximum. But any findings that poor standards within HCA Healthcare UK are due to lack of guidance, processes and due diligence by the parent company could possibly add something extra to the penalty pot.
Whilst the potential billion-dollar penalties could be seen as a scare tactic that might never have actually been levied, it is an effective one and no corporate will want to risk becoming an example case.
Moving forward with GDPR
GDPR compliance is a critical task for both multinational companies and their local subsidiaries. This is obviously a complex task: multinationals will have to work to create and monitor standards across all their businesses, including those that they might normally not have much interaction with.
For the subsidiaries, the thought that a failure might result in a fine much higher than their total business worth should also focus minds on ensuring compliance with GDPR.
It’s worth remembering that once it’s in force, GDPR – and the potential fines – apply not only to EU businesses, but also overseas companies with any presence in the EU, or if they process the data of EU citizens. After all, in the Lister Hospital case, the HCA trusted the India-based transcription service with the information and they stored it insecurely.
GDPR is coming, and with it comes increased global scope and a very different risk profile.There are lessons for us all from the Lister Hospital’s experience.
Are you ready for GDPR – and are your subsidiaries ready for GDPR? Take our 60-second compliance check to see if you are at risk of breaching the new Regulation.