back to article Q: If Pesky Pepper had a peek at patient papers, at how many patient papers did Pesky Pepper peek? A: 231

A bored trainee secretary at a GP practice has been fined for snooping on the health records of colleagues, friends and strangers. Hannah Pepper has to pay £1,028.75 after she was found to have illegally accessed 231 patient files while working at the Fakenham Medical Practice in Norfolk, an eastern county in the UK (for US …

  1. Semtex451
    Coat

    So you admit this is Fakenham news

    Sorry, been a long week

  2. This post has been deleted by its author

    1. Andre Carneiro

      Don’t you then have at least a moral obligation to report them?

      I really mean it, that’s serious shit.

      1. Version 1.0 Silver badge

        It would be serious if there was malice involved - but there doesn't seem to have been any. I think we all need to calm down - back in the old days we'd hear a voice from above saying that the whole garden was ours but don't pick the any fruit of that tree ... and what did we do?

        1. Crisp

          Re : It would be serious if there was malice involved

          The act is malicious in and of itself.

          If an unauthorised person reads my private medical information, then they have harmed me regardless of whether they intended to or not.

          1. Ian Johnston Silver badge

            Re: Re : It would be serious if there was malice involved

            If an unauthorised person reads my private medical information, then they have harmed me

            In what way, precisely?

            1. Danny 14

              Re: Re : It would be serious if there was malice involved

              i dont want people to learn how i contracted HIV, especially if they were a mate.

              I dont want my friends knowing I have uncureable bowel cancer and have 1 year to live.

              etc

    2. This post has been deleted by its author

  3. Version 1.0 Silver badge

    "suggested that at times she struggled with the monotony of some of her tasks" - essentially it sounds like she had a boring job and probably very low paid ... I wonder how many of us here would not have done the same thing in that situation?

    1. Anonymous Coward
      Anonymous Coward

      Please let me know where you work...

      ... I want to make sure you are nowhere near me or any of my family.

      "essentially it sounds like she had a boring job and probably very low paid ... I wonder how many of us here would not have done the same thing in that situation?"

      Most of us would not have done the same thing. I've seen my not-particularly inspiring salary eroded time and time again as the minimum wage goes up way quicker than mine and my colleagues (public sector pay freezes etc) but we wouldn't dream of doing this even if we had the time to spare.

      This isn't like taking a peek inside your bag at work, it's confidential information for a reason - what would you do if you found out one of your co-workers only had a short time to live, or had a really embarrassing condition or something else they really, REALLY didn't want you to know about?

      How would you feel if it was you who had the secret and someone found it out?

      It's an easy step from finding something "interesting" in someone's file to just having to share it with one other person, and then you or they share it with someone else because it's just too damn interesting to keep to yourself, and before you know it the tiny little mushroom cloud is out and it's too damn late to put it back in that nice shiny uranium sphere.

      I hope you never have to go through the agony of seeing someone you know have their life destroyed because someone else didn't understand the concept of "keep your f***ing nose out"...

      1. Version 1.0 Silver badge

        Re: Please let me know where you work...

        I understand how you feel but you're living in a fools world (sorry, no insult) if you think that information like this is hidden and only seen by you and your doctor.

        Look at the world these days, everything is stored somewhere and it's all accessible to people - the police can get at it, along with GCHQ, the local council, the insurance company can all get at it legally, it can be anonymized (in theory) and used for research - check the small print at the end of the small print in every document that you have signed. Did you buy any medicine with a credit card - can you even guess how many people that information has been sold to?

        You have no secrets, it's time to grow up and realize that the world (as defined by "big data") is not your friend, it just wants you to think that it is - you are just a tasty meal.

        1. Boris the Cockroach Silver badge
          Devil

          Re: Please let me know where you work...

          Quote:

          I understand how you feel but you're living in a fools world (sorry, no insult) if you think that information like this is hidden and only seen by you and your doctor.

          Well after reading this, I called up the bored receptionist at your doctors to find out you had an AIDS test 3 months ago, as well as a check up at the sexual health clinic.

          ANd the details have leaked up because you think everyone hoovers up all of your details

          BTW , your wife wants a divorce because "WTF were you doing at a sexual health clinic, let alone having an AIDS test", your employer has said "Oh an AIDS test... you must be a druggie, you're fired, and your health insurance co just found out and raised your premium by 500%.

          Oh and having a 4" penis is a bit on the small side too.

          1. Version 1.0 Silver badge
            Joke

            Re: Please let me know where you work...

            You must have got the wrong records, it's 8 inches, flaccid.

            I do occasionally handle confidential data and I keep it confidential, but I'm not going to take the "holier than thou" attitude and assume that everyone else does - your list shows your biases (some of which are not pretty) and an attitude that would concern me if I were in charge of you handling this type of data - you sound like the sort of person who would peek into records.

            I'm not saying that it's right to leak information, but I think that we are all living in a fools world if we think that it doesn't happen - sometimes illegally but most of the legally.

          2. LucreLout

            Re: Please let me know where you work...

            your employer has said "Oh an AIDS test... you must be a druggie, you're fired

            Boris, I totally agree with your post and have upvoted it.

            However, the part I've quoted might vary more than many people realise. I've had an AIDS test, at a previous employers insistance. It was part of their hiring criteria, because they were privately funding life insurance for us and wanted to rule out pre-existing conditions that may have affected it. As you'll realise, this was a couple of decades ago.

            So, yes, the receptionist should be punished because what she did was very wrong. However, not all employers will react badly - though she had no way of knowing how anyones employer would react.

      2. Anonymous Coward
        Anonymous Coward

        Re: Please let me know where you work...

        I've had boring jobs. I had an internship back in my university days where I had very little to do, was being paid very little, and did not feel great about it. I could have broken into so many things; the company had a bunch of systems and wasn't great at security. People's documents, communications, and systems were open wide to me, and I couldn't even have gotten caught because my job gave me a perfect excuse for going into any clients' systems (it shouldn't have, but it did). I didn't. I didn't because that would be wrong.

        When I had time where there was nothing to do, and I was very bored, I'd look for extra work that needed to be done. But sometimes there wasn't any. So I wasted time on finding out the optimal size of a binary chunk for getting the least time when running different hashing algorithms (incidentally, at that time it was 256 kilobytes for SHA1 and 512 kilobytes for MD5, now it's almost certainly different). I wrote reports on things the managers would never read, but at least I got to research and learn about those things. In short, I found ways to spend my time that were entirely ethical. I respected my employer, only doing something else if there was no work to do, but above all I respected everyone who trusted them, and did not violate their trust. I would hope that everyone reading this would do the same.

        Posting anonymous because I've been let's say very honest about this company's competence.

    2. Anonymous Coward
      Anonymous Coward

      We had a YTS trainee years back in the HR dept who did this with employee salary records ... he was an ex-YTS trainee within a few hours of being discovered!

    3. Anonymous Coward
      Anonymous Coward

      I haven't

      As an IT contractor with medical customers I have access to their practice management systems at an administrative level. I could access every record without leaving a trace.

      I have never taken so much as a sneaky peak at anything other than the test patients (which are quite intentionally filled with humorous medical conditions). To do so is a gross breach of trust and I would be sickened to discover that anyone other than an authorised doctor had read my medical record. That is the most personal data that can be held about a person.

      1. Rol

        Re: I haven't

        Sorry to inform you, but medical practitioners like your GP or consultant rely heavily on administrative staff. They type up your records from various scribbles and Dictaphone notes and others read through them to ascertain whether you need any follow-up appointments.

        But I'm happy to inform you, they are all as professional as your GP, and would never dream of reading any further into your records than is necessary, or divulging anything they have read.

        To be honest, most admin staff will have forgotten every word they read about you once the task was done.

    4. Rol

      While working in a busy city hospital on very low pay, I had three years of unfettered access to the medical records of everyone in the city. On top of that I could easily have requested the records of any other UK citizen.

      And I did read loads and loads of records, and request loads and loads of records from hospitals around the country, but not once was it out of curiosity. Every file I opened was due to a medical requirement, and was part of my job.

      And while I speak for myself, I can assure you my colleagues were too busy and too professional to stoop to such disgraceful behaviour.

      Be assured, the bored receptionist woudn't have lasted a week before losing her job for unprofessional conduct, in my hospital and any other you care to mention.

    5. Richard Boyce

      "I wonder how many of us here would not have done the same thing in that situation?"

      Can you be trusted with medical information?

    6. Doctor Syntax Silver badge

      "I wonder how many of us here would not have done the same thing in that situation?"

      I hope all of us would not have done the same.

  4. Steve Button Silver badge

    Norfolk

    an eastern county in the UK (for US readers)

    You mean...

    an eastern county in the UK where many of the inbred local people have 6 fingers and webbed feet. (for US readers)

    There, fixed that for ya.

    1. Christoph

      Re: Norfolk

      You mean like the ones who have only one arm and one eye?

      1. Anonymous Coward
        Anonymous Coward

        Re: Norfolk

        And there I was, thinking that was going to be a "NFN" (Normal For Norfolk) reference.

        1. AMBxx Silver badge
          Coat

          Re: Norfolk

          If she was related to all her colleagues (quite likely in Norfolk), was this still a crime?

          1. Anonymous Coward
            Anonymous Coward

            Re: Norfolk

            If she was related to all her colleagues (quite likely in Norfolk), was this still a crime?

            Honest your honour, I was only looking at auntie mum's records to see if she's only got one testicle like me...

            1. Anonymous Coward
              Anonymous Coward

              Re: Norfolk

              Norfolk, where solving crime is next to impossible - everyone has too many fingers and all the DNA is the same ....

              1. Doctor Syntax Silver badge

                Re: Norfolk

                "all the DNA is the same"

                Having heard all these stories about Norfolk, when the "Fine Structure" paper ( https://www.nature.com/articles/nature14230 ) was published I expected Norfolk to have its own cluster. It didn't.

        2. Arthur the cat Silver badge

          Re: Norfolk

          And there I was, thinking that was going to be a "NFN" (Normal For Norfolk) reference.

          Nosey for Norfolk?

    2. Brewster's Angle Grinder Silver badge

      Re: Norfolk

      Which is why she should have used "I was looking for signs they might be Deep Ones" as her excuse.

      1. Arthur the cat Silver badge
        Alien

        Re: Norfolk

        Which is why she should have used "I was looking for signs they might be Deep Ones" as her excuse.

        I thought they were further south, off the coast at Dunwich.

        1. CustardGannet
          Joke

          Re: Norfolk

          Why does Norfolk have so many bakeries ?

          'Cos everyone there is really into bread.

    3. Anonymous Coward
      Anonymous Coward

      Re: Norfolk

      Fortunately for the commentards here Norfolk residents do not constitute a racial group as otherwise I think we'd have a potential hate crime on out hands

      1. Anonymous Coward
        Anonymous Coward

        Re: Norfolk

        Racial group? They're only a human group on a technicality.

      2. Korev Silver badge
        Alien

        Re: Norfolk

        Fortunately for the commentards here Norfolk residents do not constitute a racial group as otherwise I think we'd have a potential hate crime on out hands

        Interestingly, a former MP for Norwich got in a lot of trouble for suggesting inbreeding caused a lot of health problems. He was actually a former professional biologist so arguably knew what he was talking about!

    4. Anonymous Coward
      Anonymous Coward

      Re: Norfolk

      So the US readers might compare it to Alabama?

  5. PhilipN Silver badge

    (for US readers)

    Many of them have been there. Suffolk too.

    Went to school there. Flew for the USAF there ...

    Look up Feltwell, Lakenheath and Mildenhall

    1. eldel

      Re: (for US readers)

      I suspect the USAF are about the only source of genetic diversity there in the last 500 years. Which probably means something.

  6. Dabooka

    At least it was reported

    I know it doesn't mean that much, but at least the practice flagged it up to the ICO. It may be because it became public knowledge within the workplace or something, but it still got reported. I dread to think of the breaches that are dealt with on the 'hush-hush'.

    Also no mention of a fine or reprimand for the practice so that suggests they were happy with their trainign and safeguards etc.

    1. John Brown (no body) Silver badge

      Re: At least it was reported

      "Also no mention of a fine or reprimand for the practice so that suggests they were happy with their trainign and safeguards etc."

      When the person doing the snooping is authorised to look at the data, there's not a lot you can do other than record all data accesses and every now and then check the logs to see if it all looks ok. That may well be how the snooping was spotted in the first place, in which case, yes, their training and safeguards are adequate.

      1. Dabooka

        Re: At least it was reported

        Indeed, from what I can read into the article that is my take on it too; I cannot believe that a missed requirement for training and systems, whether mandatory or best practice, wouldn't have been mentioned in the summing up.

  7. GnuTzu
    Megaphone

    Training

    This kind of thing is covered in annual training, and agencies are required to have such training--at least where I work. Just think; there are places where private information of celebrities and government officials can be looked up. Not only must there be training, but these things need monitoring and enforcement. I guess there are areas where these regulations need to be fortified just a bit.

  8. Anonymous Coward
    Anonymous Coward

    Awwww, c'mon

    How many of us have an "I read your e-mail" t-shirt in the closet somewhere. I am fully up with the "need to know" restrictions, I have them in my job, but I am paid a lot more than some clerical worker. And it's not about the money, if part of your job is to read and review medical files, and you read them all, because you are bored, I would just say you are being proactive.

    granted I don't wear my "I am root, fear me" or my "I read your e-mail" shirts much anymore, but still, chill.

  9. adgec
    Alert

    Surely under the recent Morrisons ruling anyone affected can now sue the GP Practice.

  10. Anonymous Coward
    Anonymous Coward

    Heres the issue

    The folks that read this site are (aherm) a pretty educated lot....

    And even here its going a bit do laley over whether or not the person was really causing any harm....

    Sure, I might not want Sally next door to know my STD results, or work colleague Ben to know I had a bout of the sh1ts the other day and stank the loos out....

    BUT....do I really care that much that someone who is qualified and authorised to read through my records as part of their job sifts through some personal data.....as long as they keep it to themselves, dont tell anyone and keep it as confidential as its supposed to be.....the answer is, probably not.

    But give a set of Daily Mail readers the same circumstances and wow, watch the sparks fly....she would be hung drawn and quartered, not just hit with a measly £1k fine!

    I think the point is that she was caught reading a co-workers file.....and it all escalated from there, with some goody two shoes that just had to involve the ICO....probably because of said Daily Mail readers....

    This has gone waaay out of all proportion (hence the peanuts fine).

    Now, if it was some hacker looking for medical records to use as extortion....thats when its a real problem.....

    1. dansbar

      Re: Heres the issue

      She was neither qualified or authorised. Further, I suggest that her short attention span is an indicator that any juicy information was at risk of becoming gossip the moment she got bored in company.

  11. Spamfast

    Hannah Pepper has to pay £1,028.75 after she was found to have illegally accessed 231 patient files

    No mention of it so I 'm assuming the worst - to wit that she got to keep her job and the fine is all the punishment she's received.

    Basically all she got was a slap on the wrist for an unforgivable breach of trust, utter lack of professional behaviour and giving in to pretty nasty urges.

    I'd have insisted on her summary dismissal, a court order banning her from ever working in a similar position of trust again and fined her a lot more, a large part of which I'd earmark as compensation for those whose data she abused. (If unable to pay immediately, then attached from her salary in her next job.)

    If the courts don't treat this sort of behaviour seriously, it's never going to stop.

  12. Anonymous Coward
    Anonymous Coward

    Explain this to me...

    "Her role required her to look at some medical records – lawfully – to help doctors, solicitors and insurance companies."

    Doctors, well obviously, yes - the others, when and how did I consent to that? And by someone who clearly has no understanding of 'patient confidentiality'

    BTW, the first 'ex' refused to go to a Doctors Surgery just over a mile from the house because one of the receptionists there knew her and she didn't want her gossiping about her medical stuff the way she did about other friends... She went to one just over eleven miles away so she could be gossiped about by a stranger (some of here 'issues' were worthy of a listen over a dry sherry or two to be fair).

    1. dansbar

      Re: Explain this to me...

      A solicitor with a court order or a medical insurer that you have signed up to and provided consent would request medical records from your doctor and a clerk/admin assistant/receptionist would provide those records.

  13. EJ

    ...people "have been placed in a position of trust, and with that trust comes added responsibility".

    But of course, no added compensation.

  14. James O'Shea

    HIPAA

    In the US, HIPAA https://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act would have applied. The Feds would Not Have Been Amused. As far as I can see, m'girl would, at the least, have been liable for up to US$50,000 per offense to a max of $1,500,000. Or, if the judge wanted to heave the book at her (and he'd be a federal judge, they just love to throw the book, have a nice lapdog prosecutor go and retrieve it, and then throw it again) a fine of $50,000 per offense plus one year per offense ranging up to $250,000 per offense and 10 years in a federal pokey per offense, should the judge feel that there was an attempt to 'use individually identifiable health information for commercial advantage, personal gain or malicious harm'. That 231 offenses. If she gossiped about even one, that's malicious harm, and she's looking at up to $250,000 and 10 years times 231. In the real world even the feds don't go for the max unless you piss them off, but they can if they want to.

    M'girl got off lightly.

    There is a reason why some people refuse to do any work involving health info. HIPAA has very big, very sharp, teeth, and the feds deploy it with fell intent. https://www.medprodisposal.com/20-catastrophic-hipaa-violation-cases-to-open-your-eyes Note that several of those cases involve people who did less than what m'girl did, and got seriously hammered.

    1. EnviableOne

      Re: HIPAA

      GDPR has bigger teeth, and if she was hit under that, lets just say bancruptcy would have been on the horizon.

      Even now, she will struggle to get a job with this on her record

  15. Pascal Monett Silver badge

    "at times she struggled with the monotony of some of her tasks"

    Pinterest is your friend, my dear.

    At least there, you will not indulge yourself in the private details of people you know.

  16. TrumpSlurp the Troll
    Trollface

    Training?

    Obviously didn't include the audit trail.

  17. onemark03

    @ Ian Johnston (Re: Re: It would be serious if there was malice involved):

    The precise harm is also the small matter of violation of personal privacy...

  18. UncleDavid

    Why do you define "Norfolk" for the Yanks (who could easily look it up in their favorite mapping app) and not define "surgery"? (US: "Physician's Office". No scalpels involved).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like