What to do if you have a personal data breach in your Private Practice.

May 25th, 2018 may seem a while back now – in fact it’s been a good four months. In this relatively short space of time, already at Private Practice Ninja Tech, we’ve helped colleagues deal with their first data breaches.

Think this won’t happen to you? Think again.

Even with the best systems and processes in place, things can go awry. This is made even scarier and stressful if you learn of the breach in the middle of a very packed clinic, especially if you don’t have a Scooby Do how to deal with it.


Why do you need to be “Boy Scout” prepared?

Because you’ve only got 72 hours to report what has happened to the ICO.


This isn’t something you can sort out by “winging it” and hope that you can then sort out your processes after the event. This is something you need to have in place now.

The ICO insist that… “the GDPR introduces a duty on all organisations to report certain types of breach to the relevant authority and you must do this within 72 hours of becoming aware of the breach”.

They also say… “You should ensure that you have robust breach detection, investigation, and internal reporting processes in place”.

I’m willing to bet many clinicians working in Private Practice would struggle to demonstrate this.

If that’s you, then it’s time to wake up and smell the coffee, and not make the mistake of being complacent or hoping it won’t ever happen to you.

A data breach isn’t just about “nasty people” on the dark web hacking into airline companies’ stored credit card details. It includes personal data breaches, which means “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”.

In other words, it includes everyday clinic examples, such as accidentally sending an MRI report to the wrong patient via email or losing those paper notes.

This, incidentally, is my number one reason for encouraging clinicians to move out of the dark ages of keeping paper notes, and into the light of backed up digital notes.


Because fire, flood and theft “will learn yer” (as my Mother says). There is no such thing as a backup for paper notes. The definition of data breach includes DATA LOSS. You might think that your locked filing cabinet in a locked basement room is secure, but a burst sewage main down the road could see your practice going down the drain (excuse the pun).

If your practice uses paper notes, or if you’re a medical administrator working for a Consultant who insists on clinging to paper notes, then get in touch. We can help guide you through the transition into the bright new digital world.

So, what do you actually do if a data breach occurs?

Once you’ve calmed down (or had a stiff gin), it’s time to take some rapid action.

  You’ll want to refer to a checklist, known as a data breach policy. Don’t have one? Well, it may be news to you, but the ICO insists that you have one. Need help finding the right one for your practice? Book into a Ninja Tech Clinic.


   The moment you know that a breach has occurred, try to determine what has happened and how it occurred. Did you ping out an email to the wrong patient, or was a CD-ROM lost on a consulting room floor or left in a computer drive?


   Ask yourself what you can do immediately to plug some holes. For instance, if you’ve just realised an encrypted email has been sent out via Egress to Mrs. Jones when you meant to send it to Mr. Jones, log into your Egress account and revoke any further access to that email being opened.

Need a reminder of how to do this? click here… https://bit.ly/2L0lUi9

If you manage to get there in time, and the email has been successfully revoked without it being viewed (and you can demonstrate this with Egress’ log), you don’t have to report it to the ICO. You do, however, still need to record it.


   If you think there is any potential risk of harm to a patient, for example, sensitive data getting into the wrong recipient’s hands, you need to inform the ICO.

To do this, you need to gather together your facts and then fill out ‘a personal data breach reporting form’.

You will find one here: https://ico.org.uk/for-organisations/report-a-brea…

Alternatively, you can call 0303 123 1113 – Ninja Top Tip – pop this number into your phone’s contact list. Just in case, like ; )


   Once this process is underway, you need to record the breach in a “Company data breach register”. Start documenting what happened. Trace through the steps leading up to the breach and look to see if you can find details of how the data has moved around.

For instance: Egress audit logs, office 365 message tracking, reviewing emails and practice management digital notes.

The ICO will want the following:

   A description of the personal data breach and what kinds of numbers of individuals have been affected (potentially).


   What kinds of personal data were concerned in the data breach?


   The name and contact details of the data protection officer in your practice.


   They will also want to know what the consequences of the data breach will be.


   Very importantly they’ll want a description of the measures you have taken, or are proposing to take, to deal with it. They’ll also want to understand what steps you will be taking to mitigate any possible adverse events. In other words, what are you going to do to clear up the mess?

It’s time to put your GDPR house in order if you’re going to effectively deal with this potentially very stressful situation when it arises… and there’s a very high likelihood that at some point, the poop will hit your metaphorical fan, because it’s human nature for us to not be perfect.

Whilst the ICO are fabulously helpful if you ring them up (they really are), they also have the power to hit you with a big fine. In case you need reminding, this can be up to 4% of your annual turnover of your company or up to twenty million euros. Whichever is the highest.

If you’re concerned that your current systems and processes might not be up to scratch, if you’re a paper-reliant practice, or if you’ve been putting off the whole GDPR thing in general, then please get in touch for a chat or Book into a Ninja Tech Clinic.

We’ll help make things a whole lot less scary for your Private Practice.

Together we can grow your Private Practice.



email or call us 0207 993 6425

https://fb.me/privatepracticeninjahttps://linkedin.com/in/practiceninja http://www.instagram/privatepracticeninjahttps://twitter.com/PracticeNinjadojo@privatepracticeninja.co.uk