It has been reported that MG, a physiotherapist working at Liverpool Women’s Hospital lost two boxes of patient records, which he removed from the Hospital premises to conduct his own clinical trial. The physio has now been suspended for running the trial without proper authorisation.

MG used Hospital consent forms to obtain patient approval to use their data in his clinical trial and moved the sensitive records to a private practice. He used NHS follow up appointments to take readings for his study, designed to monitor the effects of Tecartherapy – involving the use of a medical device to heat up tissue beneath the skin.

However, on 9 November 2018, MG had to report that two boxes of patients’ sensitive data (including his own research data) had been lost. This was recorded on the Hospital’s risk management system Ulysses.

The case was referred to the Health and Care Professions Tribunal Service (HCPTS) and a disciplinary panel found that the physio carried out his research without regulatory approval and that he had breached patient confidentiality.

The data breach investigation

The Panel ruled that it was “satisfied that these were extremely serious breaches of the Trust’s patient confidentiality and data protection procedures.” And it was satisfied that as a senior practitioner MG would have been “fully aware of the need to obtain informed consent from the patients for their data to be used and that he would have also been aware that it was crucial to obtain a data sharing or transfer agreement.”

It also noted that MG had physically removed patient medical records from the Hospital premises without authorisation and found that MG “knew that it was completely inappropriate for him to use NHS resources for work that was not NHS treatment and that his actions in this regard were dishonest.”

The Panel concluded that it was “satisfied that [MG’s] behaviour amounted to serious professional misconduct that would rightly be characterised as deplorable by fellow practitioners and the wider general public.”

By their very nature medical records contain highly personal information and their confidential nature means that they are afforded special status in data protection legislation. Clearly their unauthorised use could result in extreme embarrassment or even distress those affected

If you have suffered distress as a result of a data breach by a medical professional and/or medical support staff, please get in touch and one of our specialist solicitors at DRM Legal who will be able to advise if you are eligible to bring a data breach claim.