Staff at the prestigious hospital at the center of a data breach involving the Princess of Wales’ private medical records may have faced a “decoy” trap set by officials, experts believe.
The Department of Health can reveal that, three months on, the London Clinic remains under investigation and the matter has not yet been referred to Scotland Yard, although the Health Minister, Maria Caulfield, said in March that police had been asked to examine it.
Hospital bosses launched an investigation after it was claimed at least one member of staff attempted to access Kate’s personal information following her planned abdominal operation in January.
It is a criminal offense for any NHS or private healthcare staff to access a patient’s medical record without the consent of the organisation’s data controller.
Several data scientists told this newspaper that, had the breach occurred, staff could have been caught through a “decoy” tactic used by private hospitals that often have high-profile clients.
The Princess of Wales was receiving private medical treatment at the London Clinic when staff were accused of trying to access her personal details following a planned abdominal operation.
The London Clinic remains under investigation. It is a criminal offense for any NHS or private healthcare staff to access a patient’s medical records without their consent.
Health Minister Maria Caulfield called for the matter to be investigated by police.
To protect the health data of VIP patients, hospitals often store it in a file under a false name.
A “decoy” file is then created under the celebrity’s real name. This contains false information and is regularly checked by bosses to see if wayward staff members have opened it without permission.
If a breach is suspected, hospitals are required to launch their own investigation while the Information Commissioner’s Office (ICO) investigates whether management did anything wrong. But this process is painstakingly slow.
Sam Smith, of health data privacy group MedConfidential, said: “It is disappointing but sadly fitting that three months on there is no update on the investigation. »
He said data breaches were “unfortunately common”, adding: “It’s rare that people find out a data breach has happened, even rarer that they can get evidence to prove it, and if they do, the process is still very slow. ‘
Tom Llewellyn, commercial litigation and data protection partner at law firm Ashfords, said: “It could take years before action is taken against individuals. »
He highlighted a similar case last year, when a former NHS secretary was fined £648 for accessing the medical records of more than 150 patients – four years after the breaches.
Last month, a hospital doctor was disbarred three years after reading the health data of a woman he met on a dating app in 2021.
The London Clinic has not provided any updates since the alleged breach of the Princess of Wales’ health data was reported.
The ICO told the MoS: “Investigations of reported data breaches can be very complex and our expert team must be given sufficient time to carry out their investigations.
To protect the integrity of a live investigation, we will not provide regular updates on its progress to those not directly involved until its conclusion.
The Met Police confirmed they were “not aware of any referrals” regarding the breach.
Kensington Palace said: “This is a matter for the London Clinic. »
dailymail us
