Tayview Medical Practice faces scrutiny following an inadvertent disclosure of patient information, wherein invoices containing patients’ names, addresses, dates of birth, and private medical work details were mistakenly emailed to an individual patient on September 20. The breach, affecting patients registered at Tayport and Newport-on-Tay surgeries, involves approximately two years’ worth of patient invoices.
The breach came to light only on November 7, despite occurring earlier in September, according to a letter sent to patients by business manager David Ramsay. The Information Commissioner’s Office (ICO) is currently investigating the breach, obligating organizations to report such incidents within 72 hours.
While the exact timeline of when the ICO was informed and the total number of affected patients remains undisclosed, Tayview caters to over 9,000 registered individuals.
The inadvertent email recipient reported the receipt of a substantial amount of files, signifying potential exposure of hundreds or even thousands of patient records. The breach caused distress among patients, with one individual expressing deep concern over the compromise of personal and medical information.
Tayview Medical Practice charges for various private services, including medicals for firearms applications, assistance with power of attorney registration, and reports for insurers and solicitors.
David Ramsay’s communication to affected patients detailed the breach, reassuring them that protective actions were unnecessary. An internal investigation is slated for completion by November 24. He offered an unreserved apology, acknowledging the breach’s gravity and the ensuing concerns.
The practice is instituting preventive measures to avoid future breaches, including addressing the staff member involved in the incident. However, when approached for comments, Tayview Medical Practice was unavailable, citing Mr. Ramsay’s absence on leave.
The ICO emphasized individuals’ right to secure and responsible handling of personal data, urging concerned parties to initially engage with the organization and escalate the matter to the ICO if dissatisfied with the response.
