Workers at a National Health Service hospital in the United Kingdom were reprimanded for their role in an extremely narrow data breach that exposed the personal information of exactly one person: Ed Sheeran.
According to the BBC, two medical staff workers at Ipswich Hospital in Suffolk, England accessed the health records of the famous singer and Game of Thrones background actor for no legitimate reason. The staffers were both given a written warning for the incident, and a member of the administrative staff was fired.
Sheeran checked into the hospital on October 16th, 2017 after suffering a bicycle accident that broke his right wrist and left elbow and forced him to cancel a number of his tour dates. During his brief stint at the Ipswich Hospital, he was asked to take pictures and sign autographs for the staff.
The BBC filed a Freedom of Information request regarding the visit, at which point it discovered members of the staff were responsible for a data breach. While the hospital did not disclose how exactly the employees accessed Sheeran’s files or what information they gleaned from it, the FOI response noted that the workers “accessed patient information without legitimate or clinical reason.”
The snooping incident caused the hospital to launch a review of how it goes about providing care to “high profile” patients, examining “confidentiality, privacy of the patient and their loved ones, and practical considerations.” The hospital first made note of the review in April but did not disclose the data breach at the time.
While the Sheeran episode obviously has a very limited scope in who was affected (just Ed, really), it’s still certainly a data breach and it raises a considerable number of questions regarding the safeguards put in place to protect the privacy of patients.
ProPublica highlighted these small-scale infractions, which can often lead to much larger violations of privacy for individuals. The publication shared the story of a woman who was outed on social media for testing positive to HPV after an acquaintance working at the hospital she was treated at looked at her records. In another case, a nurse searched medical records of her nephew’s partner and found she had a child that she put up for adoption. That secret was exposed to the rest of the family without consent.
These types of breaches may not grab headlines the way massive hacks or ransomware campaigns like the one that hit NHS hospitals in 2017 do, but the small incidents happen with more regularity than you might think. A 2011 survey of healthcare IT managers found that 27 percent of breaches of personal health information were the result of workers improperly accessing the records of friends and relatives. That’s enough to make anyone nervous about their next doctor visit.