A major UK hospital has launched an investigation after 40 staff members accessed the medical records of a three-year-old boy injured in a crocodile enclosure at a nearby zoo.
Cambridge University Hospitals (CUH) has also self-referred the incident to the UK’s independent data protection regulator, and notified the family of the child who was attacked at Norfolk Zoo in England’s East.
“We have strict policies in place to safeguard patient data and we take any breach extremely seriously,” a CUH spokesperson said. “We know the vast majority of our 13,000 staff understand the fundamental importance of maintaining patient confidentiality and uphold the highest professional standards.
“Where any member of staff is found to have accessed patient records without legitimate clinical or operational reasons we take robust disciplinary action, including dismissal.”
The Trust has an existing process for restricting patient records where there is “significant public interest”, requiring anyone who accesses them to provide a valid care reason, the spokesperson said, adding that the restriction had been applied in this case.
A spokeswoman for the Information Commissioner’s Office confirmed that the regulator was reviewing the report.
“This is a wider issue across the health sector that we are supporting organisations to address,” she said. “We are working closely with the National Data Guardian and NHS England, and we continue to remind all organisations about the importance of keeping patient data secure.”
Similar incidents have prompted investigations at other NHS trusts in recent years.
In May, Nottingham University Hospitals NHS Trust (NUH) said it had dismissed 11 members of staff for inappropriately accessing the medical records of three people murdered in June 2023 by Valdo Calocane, who was diagnosed with paranoid schizophrenia.
Last week, the ICO cautioned a former healthcare worker for trying to obtain and sell the medical records of the Princess of Wales.
Inappropriate access to health records remains rare, ICO chief executive Paul Arnold observed in a blog on the organisation’s website, entitled “Curiosity is not an excuse: protecting patient data in healthcare”. The issue, he said, was “primarily a cultural challenge” elevated when local incidents become national news stories.
However, the said recent high-profile cases “point not to isolated incidents but to a worrying trend that requires a serious response across the healthcare sector.”