Data Security Breach Advice

1813

Hello, 

I am afraid that I have experienced quite a distressing situation at work that I need some advice on. 

Unfortunately, I sent an email to the wrong person. For example, I sent it to johnsmith1@johnsmith.com instead of johnsmith@johnsmith.com - I sent this email to both addresses, assuming they were one and the same. The actual name of the person I sent this email to had quite an uncommon name and I thought nothing more of it.

This morning, I got a response from the other John Snith who said that I had breached security by sending this email to them instead of the proper John Smith and they were going to raise a security report against me. 

The email itself was sent within the organisation so it never left the organisation per se. 

My question is, do I have any defence here and what next steps should I take because as I explained, I am in distress and my mental health isn’t the best so I appreciate any advice. 

I work for the NHS.

Thank you,

Marcon

1813 said:

Hello, 

I am afraid that I have experienced quite a distressing situation at work that I need some advice on. 

Unfortunately, I sent an email to the wrong person. For example, I sent it to johnsmith1@johnsmith.com instead of johnsmith@johnsmith.com - I sent this email to both addresses, assuming they were one and the same. The actual name of the person I sent this email to had quite an uncommon name and I thought nothing more of it.

This morning, I got a response from the other John Snith who said that I had breached security by sending this email to them instead of the proper John Smith and they were going to raise a security report against me. 

The email itself was sent within the organisation so it never left the organisation per se. 

My question is, do I have any defence here and what next steps should I take because as I explained, I am in distress and my mental health isn’t the best so I appreciate any advice. 

I work for the NHS.

Thank you,

Talk to your manager - now. Explain what happened as calmly as you can (not easy, I know) and see what they have to say.

lincroft1710

Unless the email contained highly sensitive or personal information and the "wrong" John Smith is quite high in management or is a data protection officer, I am wondering why they would pursue this.


I can't see you have any "defence" especially as you sent the email to both addresses which could indicate you were unsure which address to send it to. Admitting to this will only be met with "you should have checked first".


You made a mistake, it is as simple as that. All you can do is see what transpires. Obviously if it does go further then all you can do is apologise profusely. I cannot advise whether you ought to admit the error to your lone manager before the "wrong JS" puts the wheels in motion although this might not be a bad idea. 

1813

Marcon said:

1813 said:

Hello, 

I am afraid that I have experienced quite a distressing situation at work that I need some advice on. 

Unfortunately, I sent an email to the wrong person. For example, I sent it to johnsmith1@johnsmith.com instead of johnsmith@johnsmith.com - I sent this email to both addresses, assuming they were one and the same. The actual name of the person I sent this email to had quite an uncommon name and I thought nothing more of it.

This morning, I got a response from the other John Snith who said that I had breached security by sending this email to them instead of the proper John Smith and they were going to raise a security report against me. 

The email itself was sent within the organisation so it never left the organisation per se. 

My question is, do I have any defence here and what next steps should I take because as I explained, I am in distress and my mental health isn’t the best so I appreciate any advice. 

I work for the NHS.

Thank you,

Talk to your manager - now. Explain what happened as calmly as you can (not easy, I know) and see what they have to say.

I included their name and their hospital number 

Savvy_Sue

Does your email signature have a disclaimer, saying what to do in the event of receiving an email which clearly wasn't intended for you? 

1813

I’m not sure savvy Sue does this make a difference?

NCC1701-A

1813 said:

Hello, 

I am afraid that I have experienced quite a distressing situation at work that I need some advice on. 

Unfortunately, I sent an email to the wrong person. For example, I sent it to johnsmith1@johnsmith.com instead of johnsmith@johnsmith.com - I sent this email to both addresses, assuming they were one and the same. The actual name of the person I sent this email to had quite an uncommon name and I thought nothing more of it.

This morning, I got a response from the other John Snith who said that I had breached security by sending this email to them instead of the proper John Smith and they were going to raise a security report against me. 

The email itself was sent within the organisation so it never left the organisation per se. 

My question is, do I have any defence here and what next steps should I take because as I explained, I am in distress and my mental health isn’t the best so I appreciate any advice. 

I work for the NHS.

Thank you,

Report yourself via Datix, setting out the impact of your actions.

Much better to admit your mistake rather upfront.

Savvy_Sue

1813 said:

I’m not sure savvy Sue does this make a difference?

Well, possibly. I've seen some which are half a screen long, stating that if you've been sent an email in error you must tell the sender, but also not misuse information you shouldn't have. It is possible that the 'wrong' recipient's actions are what they're instructed to do by the signature, and they're following that to avoid finding themselves in the wrong. For example, I've had an email from my GP surgery recently which had the following: 

This message may contain confidential information. If you are not the intended recipient please:
i) inform the sender that you have received the message in error before deleting it; and
ii) do not disclose, copy or distribute information in this e-mail or take any action in relation to its content (to do so is strictly prohibited and may be unlawful).
Thank you for your co-operation.

Sending someone's name and hospital number outside the organisation would, IMO, be a lot more serious. 

We haven't asked yet: are you in a union? If you are, contact your rep and ask for their support. 

Dakta

As above, ask to speak to your manager or log it with the risk management system (as appropriate or both). This is a serious issue but a lot will depend on the content of the email as well.

It's also important beyond your mistake to let them know because from the description of your mistake it does sound really easy to make, so it will help the company be aware of how unintentional disclosures could happen and give them some insight whether things need to be changed or whatever to help keep customers data safe and keep you safe from accidentally disclosing as well. 

As hard as it will be - try not to beat yourself up, whilst this is a serious matter accidents do happen, and it doesn't sound like it was malicious. 

elsien

I’ve just done similar. Sent the wrong information to someone by mistake, but it was information they did actually have the right to. They reported me for a data breach. 

My organisation has decided it’s not a data breach because it’s nothing they shouldn’t know. I have to do refresher training on a GDPR policy and that’s the end of the matter. Obviously I’ll be more careful in future.

Purplelady65

When you say the other person’s hospital number was disclosed do you mean their ESR number? If so yes it’s a breach but not that big a deal really. It’s not as if you’ve disclosed lots of personal information or medical history.  As it’s an internal breach id suggest you should inform your line manager, complete an IRE and then send an apology to the person whose number was inadvertently sent to the other person. It’s interesting that the person saying they are going to report you isn’t the person whose data has been breached. It was a genuine mistake and these sort of things happen more than you might think they do.