A former health worker has pleaded guilty to unlawfully obtaining patient information by accessing the medical records of five members of her ex-husband’s family in order to obtain their new telephone numbers.
Juliah Kechil, formerly known as Merritt, a former Health Care Assistant in the outpatients department at the Royal Liverpool University Hospital, was convicted under section 55 of the Data Protection Act at Liverpool City Magistrates Court today. She was fined £500 and also ordered to pay £1,000 towards prosecution costs and a £15 victim surcharge.
Ms Kechil accessed the medical records of the five individuals between July and November 2009. Royal Liverpool University Hospital began an investigation in November 2009 when the defendant’s father-in-law contacted the hospital after receiving nuisance calls which he suspected had been made by his former daughter-in-law. Having changed his phone number in July 2009 following unwanted calls from Ms Kechil, he was immediately concerned that there had been a breach of patient confidentially.
Checks by the hospital revealed that all of the patients whose details had been compromised were not at any time under the medical care of Ms Kechil and she had no work-related reasons to access their records. She accessed the information for her own personal gain without the consent of her employer. The accesses were traced through audit trails which were linked to the defendant’s smartcard ID.
Head of Enforcement, Steve Eckersley, said:
“Unlawfully obtaining other people’s information for personal gain is a serious offence which can have potentially devastating effects. Ms Kechil accessed medical records for entirely personal reasons. The breach of their privacy would obviously have been very distressing for the individuals involved.
“People should be able to feel confident that their personal details will be stored securely and only accessed when there is a legitimate business need. We will always push for the toughest penalties against individuals who abuse this trust.”
Unlawfully obtaining or accessing personal data is a criminal offence under section 55 of the Data Protection Act 1998. The offence is punishable by way of a financial penalty of up to £5,000 in a Magistrates Court or an unlimited fine in a Crown Court. The ICO continues to call for more effective deterrent sentences, including the threat of prison, to be available to the courts to stop the unlawful use of personal information.