“Health board staff shared patient data on WhatsApp” BBC News (2023)

According to the study of following article (https://www.bbc.co.uk/news/uk-scotland-glasgow-west-66364283) I found the main causes of the potential data breach in the NHS Lanarkshire:

1. Wrong use of WhatsApp: Staff member used WhatsApp, which was not approved by NHS Lanarkshire for sending and receiving patient data, to communicate sensitive patient information. It was a clear violation of data communication policies.
2. Lack of Knowledge and awareness: It is clear that the staff might not have been adequately trained or made aware of the risks associated with using unauthorized communication platforms for handling patient data.
3. Drifting from Initial Purpose: The WhatsApp group was initially set up for administrative purposes and crisis planning during the COVID-19 pandemic but gradually drifted from its intended use. Members began sharing sensitive patient data that was not authorized for sharing on the platform.
4. Failure to Monitoring Policies: NHS Lanarkshire did not have appropriate policies, clear guidance, or processes in place for the use of WhatsApp when it was made available. Additionally, there was a lack of monitoring and enforcement of data handling policies.
5. Unintentional Disclosure: An external person (non-staff member) was mistakenly added to the WhatsApp group, resulting in the disclosure of patient information to an unauthorized individual.

Could this have been avoided? Yes, it could have been avoided by implementing some measures:

1. Clear Data Handling Policies: NHS Lanarkshire should have clear policies and guidelines for the use of communication platforms, especially when dealing with sensitive patient data. Staff should be trained on these policies, uses of digital platform and regularly reminded is very important for there.
2. Secure Communication Tools: Instead of using unauthorized platforms like WhatsApp, Messenger, Imo, Snapchat etc. the organization should provide secure communication tools specifically designed for healthcare environments, with built-in encryption and others security features.
3. Data Encryption: All patient and employee data, including images and videos, should be encrypted to protect it from unauthorized access and only authorized users should be able to decrypt it.
4. Access Controls: Implement strict access controls to ensure that only authorized personnel can access patient data, and regularly review and audit access permissions. It would be highly recommendation for using Multifactor Authentication (MFA) or Biometric Authentication to access patient data on the authorized system.
5. Training and Awareness: By arranging training and awareness programs for staffs regarding data security and the importance of following organizational policies and procedures.

In this case, the Information Commissioner chose not to fine NHS Lanarkshire but emphasized the importance of learning from the incident. While there may not have been intentional misuse of data, it exposed patient data to risk, and it's essential for healthcare organizations to take data protection seriously and continually improve their data security practices.