Former NHS worker fined for unauthorised medical record access

A former NHS staff member has been convicted and fined for unlawfully accessing the medical records of more than 150 individuals.

Loretta Alborghetti from Redditch worked as a medical secretary in the Ophthalmology department at Worcestershire Acute Hospitals NHS Trust.

The case emerged in June 2019 when a patient raised concerns about unauthorised access to their medical records.

An investigation revealed that Alborghetti had accessed the records of this individual 33 times between March 2019 and June 2019, without proper consent or a valid business reason.

Further scrutiny exposed that she had illicitly accessed a total of 156 patient records without consent or a legitimate business justification, viewing them over 1800 times within the three-month period.

This included records of family members and individuals with postcodes in close proximity to her residence at the time.

While part of her responsibilities as a medical secretary involved accessing clinical and personal patient information in the ophthalmology department, those whose records she accessed had no relevant medical conditions in that field.

Alborghetti appeared before Worcester Magistrates’ Court on November 15, 2023. After an investigation by the Information Commissioner’s Office, she pleaded guilty to unlawfully obtaining personal data in violation of Section 170 of the Data Protection Act 2018 and as a result, she was ordered to pay a total of £648.

Andy Curry, ICO head of investigations, said: “People should never have to think twice about whether their sensitive data, such as their medical records, is secure and in safe hands. We want to remind those in positions of trust that just because your job may grant you access to other people’s personal information, that doesn’t mean you have the legal right to look at it for your own purposes. This case shows that the ICO will take action when confidential personal records are accessed unlawfully. Curiosity is no excuse for breaching data protection laws.”