A FORMER staff member at Withybush Hospital inappropriately accessed electronic patient hospital records the health board has said.

Hywel Dda Health Board said it has written to 41 people to provide them with information and support after its own investigation identified the breach.

The individual, an administrator at Withybush Hospital is no longer employed by Hywel Dda after breaching patient confidentiality and acting outside of NHS and the health board’s own policies on data protection and information governance.

The health board has also referred the situation to the Information Commissioner for independent investigation.

All patients affected have been written to and offered the opportunity to discuss the situation with the health board through a helpline number, which can be contacted on 01437 773969/01437 773970. Please note it is open between 8.30am to 8pm today and tomorrow (January 23 and 24) and 8.30am to 5pm on January 25 and 26.

Individuals can also contact the Information Governance Team by email Information.Governance.HDD@wales.nhs.uk

Chief Executive Steve Moore said: “This is a matter that we take extremely seriously and we have written to every patient directly affected to apologise for the actions taken by this individual which go against health board policies and procedures.

“We are able to reassure people that our review has shown no changes or amendments were made to records. It also produced no evidence that the information has been used by the individual for any purpose other than to view.”

He added: “We faced a similar but much larger scale breach in 2016 but it makes this none the less serious for those patients affected. We understand and acknowledge how distressing this is for those affected, especially for any who may be vulnerable, and we have set up a helpline should they wish to discuss this further with us.”

The concern was originally picked up by a manager which resulted in a full investigation being undertaken by the Health Board. This involved collecting evidence from witnesses and reviewing the extent of the breach as the individual did have appropriate reason to access patient records as part of their job. Since then, the board has been working to ensure it had the correct information and ability to contact all individuals affected appropriately.

The Health Board has introduced an electronic system which provides a better and efficient way of checking access to electronic hospital records. Called, the National Intelligent Integrated Auditing Solution (NIIAS), it is licensed for use by all NHS Wales health boards and trusts and helps monitor electronic information systems and flag up potential instances of unauthorised access to patient information, for further investigation. The Board has implemented an Information Governance Team and carried out extensive training and communications with staff to ensure they understand their responsibilities in maintaining strict patient confidentiality.

Mr Moore said: “We will continue to prioritise this work until we have full assurance that all staff are complying with our policies and procedures around patient confidentiality. I say with confidence that most of our staff are extremely disappointed and devastated by breaches of this nature by individuals. At the core of our values as NHS staff members and employees of Hywel Dda University Health Board is the obligation to protect our patients, treating their information with respect and protecting their right to confidentiality.”

The Health Board has also proactively referred the breach to the Information Commissioner’s Office. The Commissioner is responsible for upholding rights in the public interest, promoting openness by public bodies and privacy for individuals. It is an independent regulatory office dealing with the Data Protection Act and has its own enforcement rights for any breaches under the Act.

Should the Information Commissioner’s Office determine the access constitutes a breach, they have the power to commence criminal proceedings against the individual. Equally, the Information Commissioner could take action against the Health Board should they consider it failed to take appropriate organisational or technical measures to protect individuals’ personal data.

If you have not been contacted directly by the health board about this situation then you are unaffected and do not need to take further action. Anyone who has been contacted and who is distressed or has concerns, can contact the helpline on 01437 773969/01437 773970. Please note it is open between the hours of 0830- 2000 23rd & 24th January and 0830 – 1700 25th & 26th.

Also you can email: Information.Governance.HDD@wales.nhs.uk if you would like to arrange a call-back from the team on a day and time that is convenient for you.