UK healthcare provider Northumbria NHS Foundation Trust has received a warning from the Information Commissioner’s Office (ICO) after leaking patient data multiple times in 2014 to an unintended recipient.

The undertaking document comes after employees sent the patient details via a fax machine and failed to dial the correct number. The first incident occurred in March 2014 and four more followed over the ensuing two months, to the same recipient.

The same recipient contacted five times with patient info

ICO says that after the first leak the organization took the necessary measures to ensure that fax machines deliver information only to a predefined set of numbers belonging to health services. However, the security restraint was not applied to all wards and data was spilled to the public.

It appears that the details in the first faxes did not actually reach any destination because the owner of the number did not own a fax machine at the time. He made the effort of getting one at a later time, though, to determine the origin of the communication, and received personally identifiable information.

“The ICO’s investigation found that the trust failed to inform all wards about the original data breach and the actions that they should take to stop this mistake occurring again. The trust also initially made no effort to recover the documents once they were alerted to the problem,” ICO said on Monday.

Organization has to enforce better security policies

As a result, Northumbria Healthcare has until October 30, 2015, to set up procedures that would protect patient data as soon as it receives a data breach alert, implement measures to ensure consistent security standards across all wards.

Furthermore, the organization is required to establish a clear and unambiguous process for using safe haven fax machines, and staff should be reminded constantly of the requirements for using the devices.

The same October date is the deadline for providing personnel with adequate training regarding data breach situations and the steps that need to be taken to mitigate the risks.