A patient filed a complaint in June 2019 claiming their medical records had been accessed by an NHS employee
The Information Commissioner’s Office (ICO) reported this week a former UK National Health Service (NHS) employee has been found guilty and fined for illegally accessing the medical records of more than 150 people.
Loretta Alborghetti, from Redditch, UK, was working as a medical secretary within the ophthalmology department at Worcestershire Acute Hospitals NHS Trust when she illegally accessed the records, according to ICO records.1
“People should never have to think twice about whether their sensitive data, such as their medical records, is secure and in safe hands,” Andy Curry, the ICO’s head of investigations, said in a news release. “We want to remind those in positions of trust that just because your job may grant you access to other people’s personal information, that doesn’t mean you have the legal right to look at it for your own purposes.”
A patient filed a complaint in June 2019 claiming their medical records had been accessed by an employee.
Officials kicked off an investigation that found Alborghetti had accessed the individual’s records 33 times between March 2019 and June 2019, without consent or a business need to do so.
According to the ICO report, Alborghetti accessed a total of 156 patient records without consent or a business need, viewing them more than 1800 times within the 3-month period. This included the records of family members and individuals with postcodes in the vicinity of her home, according to reports.
In her position with the NHS as a medical secretary, Alborghetti was responsible for accessing clinical and personal information of patients within the ophthalmology department. However, the individuals whose records were accessed had no medical conditions relating to ophthalmology.
According to ICO records, Alborghetti appeared before Worcester Magistrates’ Court on November 15, 2023. Following the investigation from the ICO, she pleaded guilty to unlawfully obtaining personal data in breach of Section 170 of the Data Protection Act 2018 and was ordered to pay a total of £648.1
“This case shows that the ICO will take action when confidential personal records are accessed unlawfully,” Curry concluded in the news release. “Curiosity is no excuse for breaching data protection laws.”