GP practice fined £35K for failing to secure medical records

The Information Commissioner’s Office (ICO) has fined London surgery Bayswater Medical Centre (BMC) £35,000 after highly sensitive medical information was left unsecured in an empty building.

According to the ICO, the data was left exposed for more than 18 months – this included medical records, prescription information and patient identifiable medicines.

BMC vacated the building in July 2015 after moving to new premises, but continued to use it as a storage facility because of limited space at the new location. A member of the practice team attended the building on a weekly basis.

Another local GP surgery, NHS West London CCG, expressed interest in taking over the lease of the empty building, and had access from June 2016. After visiting the site, the prospective new leaseholder NHS West London CCG informed BMC that there were unsecured ‘Lloyd George Records’ on the site. BMC responded in July, acknowledging that the records were present.

What happened?

The prospective new leaseholder contacted BMC again in January 2017 to establish whether the medical information had been secured, as it was reluctant to let contractors access the site otherwise, and again in February 2017 to raise concerns. These concerns were also referred to NHS England.

NHS England launched an investigation and confirmed that there were a large number of unsecured patient records on the premises. It said that “it would have been apparent to anyone looking through the window that the premises were abandoned and patient files left littered throughout the premises with windows left ajar with potential access…”. It was also reported that the premises were secured by just one lock.

These findings show a complete disregard for information security and data protection. BMC consistently failed to protect or safely dispose of the data and, by allowing unsupervised access to the building, exposed the confidential records to unauthorised access.

Steve Eckersley, head of enforcement at the ICO, said:

It is our duty to stand up for people’s data right[s] and to ensure that their sensitive personal information is protected. Out of sight is definitely not out of mind. We don’t want anyone to think that they can avoid the law or their duties by abandoning personal data in empty buildings.

Organisations need to take data protection and information security seriously – especially those in the healthcare sector. Employees who handle sensitive data must also be aware, and it is vital that they understand the importance of information security and best practices.

Better protect your information assets

Our Information Security Staff Awareness E-Learning Course can help your employees learn about the most important elements of information security. The course will teach them how to avoid becoming a security liability, introduce your internal policies on incident reporting and responses, and provide basic knowledge of information security best practices to reduce preventable mistakes.

Discover how our Information Security Staff Awareness E-Learning Course can help your staff >>


  1. Nick Davies 6th June 2018
    • Emma Bordessa 6th June 2018