NHS Lanarkshire staff have been reprimanded for sharing patient details on WhatsApp.
The Information Commissioner’s Office (ICO) launched an investigation following the data breach after it was found that personal information had been shared in an unauthorised group chat over the course of two years.
The ICO found that 26 members of staff had shared access to patients' names, numbers and addresses, as well as clinical information on multiple occasions between April 2020 and April 2022.
The messaging app was adopted as a form of communication during the pandemic but had not been approved for processing patient data. After a non-staff member was accidentally added to the group, breaching patient-doctor confidentiality, NHS Lanarkshire reported the incident to the ICO.
Trudi Marshall, nurse director at Health and Social Care North Lanarkshire, said: "We have received a formal reprimand from the ICO for the use of WhatsApp by one of our community teams to exchange personal patient data during the pandemic.
"We recognise that the team took this approach as a substitute for communications that would have normally taken place in either a clinical or office setting, but was not possible at that time due to Covid restrictions. However, the use of WhatsApp was never intended for processing patient data."
UK information Commissioner John Edwards said: "Patient data is highly sensitive information that must be handled carefully and securely. When accessing healthcare and other vital services, people need to trust that their data is in safe hands.
"We appreciate that NHS Lanarkshire, like all healthcare providers, was under huge pressure during the pandemic but there is no excuse for letting data protection standards slip.
"Every healthcare organisation should look at this case as a lesson learned and consider their own policies when it comes to both messaging apps and processing information about patients.
"We will be following up with NHS Lanarkshire to ensure that patient data is not compromised again."
