from the how-may-we-misdirect-your-call dept
We’ve covered a lot of data breaches on this site over the years. Most involve the leakage of personal info via unsecured databases or careless data handling. But I doubt we’ve covered anything as bizarre as this. (via Databreaches.net)
A Devon hospital has apologised after a caller’s voicemail, containing personal patient details, became the hospital’s answerphone message for more than seven hours.
During that time the caller was inundated with calls from patients giving details about their health problems believing they were ringing North Devon District Hospital in Barnstaple.
Somehow, through the magic/convolutions of business phone systems, the message a woman left while calling to set an appointment for her husband somehow became the message greeting callers who were unable to reach a live human being.
Adding inconvenience to possibly tortious injury, the hospital somehow managed to route a number of inbound calls to the person whose message it had accidentally co-opted, resulting in the person (who had yet to discover her personal information had been compromised) fielding phone calls from other patients, who ended up sharing their personal info with a complete stranger.
The woman, who asked not to be named, said: “I didn’t think any more of it until an hour and a half later an elderly man called our home phone talking about his private parts as he had a problem and had to have an operation.
“I said to him, ‘I’m ever so sorry but I don’t know what you’re talking about?’. He replied, ‘they have given me your number’.
The hospital’s explanation for this incident isn’t very reassuring. It places the blame on outdated equipment. Unfortunately for people who don’t want their personal info handed over to complete strangers, there’s no telling how many public and private entities could make the same claim about their phone systems.
She said: “The phone lines were redirected and I was told it was completely human error because some parts of the hospital are still using old answer machines.”
And yet old answering machines are operated all the time without turning a message someone left into a voicemail greeting. Sure, it’s not impossible. But good god is it ever unlikely.
Stupidity before malice, as the saying goes. There’s no conceivable reason the hospital would want to generate this kind of press, so it would be irrational to think someone did this to deliberately harm this person. But harm was done nonetheless, and the combination of the UK’s Data Protection Act and the GDPR could result in a pretty hefty fine for the hospital. The going rate is “4% of turnover [gross revenue]” — something that has seen maximum fines rise from £500,000 (the amount charged Equifax) to £183 million (levied against British Airways).
Since the Devon hospital is unlikely to replace its hardware immediately, the risk of repetition still remains. Considering it’s apparently never happened before, the risk is low — but certainly not nonexistent. Adding humans to outdated tech will sometimes result in errors that aren’t easily replicated. Given that we’ve heard nothing comparable to this in the many years this blog has been running, this hospital’s inadvertent use of patient’s sensitive message as its own answering machine greeting is likely to remain a data breach unicorn.