After a recent visit to her local hospital for a routine blood test, Rita Gil reflects on her experience and the patient safety concerns she has around data privacy.
I recently needed to go for some general blood tests to check on my health concerns. The process was relatively simple and smooth; however, it did uncover some flaws in patient safety regarding data privacy that go far beyond the seemingly harmless waiting room, and could put patients unknowingly at risk of fraud and scams.
After my GP had approved the blood tests, I was asked to book a slot using the Swiftqueue website, which is linked to my local hospital. To book a blood test, the steps are simple: selection of date/time and login to my NHS account that has my name, age and other details.
On the 30 September, I went to the hospital and the signs were showing the phlebotomy clinic had moved from where it had previously been located. Around the corner, I was greeted with a large room that had been split—to the left, they were drawing blood with what seemed to be temporary bi-fold walls, and to the right, there was a seating area with the check-in tablet.
As I sat waiting for my name to be called (which previously would have been a name on a screen), I became very aware of how many vulnerable people were around me. As each name was called, I was able to see who the person was standing up and going in for their blood test. As each person went for their bloods, I could hear the nurse asking the person to confirm their full name, date of birth and first line of their address. Of course, I understand that they need to ensure who they are seeing matches the details on their systems. However, as someone in the waiting room able to hear all this information, and working in tech as my profession, where data protection is key, I couldn’t help but think how exposed the patients were.
I could now not only be able to identify the person by their ‘looks’ and name, but I could also know their full name, date of birth and first line of their address (which, knowing most people are local, wouldn’t be too difficult to figure out the full address).
Exposing all this information to an unknown audience makes the patient a target. In a world where cybersecurity and fraud are real problems, protecting private personal information is imperative and mandatory by law. It’s easy to forget how a simple overheard conversation might affect patients later with fraud scams and other threats. In a room where the same process occurs each day, the pattern of information that is obtainable is easily identifiable and exposes a risk.
Now, I can only assume most people in the waiting room are there and not thinking too deeply about all of this—the truth is we don't know who is in a waiting room, and scammers and fraudsters are becoming incrementally more clever. Personal information—as complete as the one described above—should not be this accessible to an unknown audience.
Regardless of whether the new phlebotomy clinic location was a temporary set-up, protecting patient safety goes beyond safe care given by professionals. Personal data protection should be embedded into the planning of the hospital care set-up, as the most vulnerable people are known to be found in these spaces and fraudsters are actively looking for new and clever opportunities to prey on them.
It would be utopian to believe that we are surrounded by people with good intentions only; the reality is that data protection exists due to a real threat from fraudsters, and everyone is at risk.
Making private information accessible in communities can cause harm to patients outside of the seemingly safe and harmless waiting room.
After a recent visit to her local hospital for a routine blood test, Rita Gil reflects on her experience and the patient safety concerns she has around data privacy. I recently needed to go for some general blood tests to check on my health concerns. The process was relatively simple and smooth; however, it did uncover some flaws in patient safety regarding data privacy that go far beyond the seemingly harmless waiting room, and could put patients unknowingly at risk of fraud and scams. After my GP had approved the blood tests, I was asked to book a slot using the Swiftqueue website, which is linked to my local hospital. To book a blood test, the steps are simple: selection of date/time and login to my NHS account that has my name, age and other details. On the 30 September, I went to the hospital and the signs were showing the phlebotomy clinic had moved from where it had previously been located. Around the corner, I was greeted with a large room that had been split—to the left, they were drawing blood with what seemed to be temporary bi-fold walls, and to the right, there was a seating area with the check-in tablet. As I sat waiting for my name to be called (which previously would have been a name on a screen), I became very aware of how many vulnerable people were around me. As each name was called, I was able to see who the person was standing up and going in for their blood test. As each person went for their bloods, I could hear the nurse asking the person to confirm their full name, date of birth and first line of their address. Of course, I understand that they need to ensure who they are seeing matches the details on their systems. However, as someone in the waiting room able to hear all this information, and working in tech as my profession, where data protection is key, I couldn’t help but think how exposed the patients were. I could now not only be able to identify the person by their ‘looks’ and name, but I could also know their full name, date of birth and first line of their address (which, knowing most people are local, wouldn’t be too difficult to figure out the full address). Exposing all this information to an unknown audience makes the patient a target. In a world where cybersecurity and fraud are real problems, protecting private personal information is imperative and mandatory by law. It’s easy to forget how a simple overheard conversation might affect patients later with fraud scams and other threats. In a room where the same process occurs each day, the pattern of information that is obtainable is easily identifiable and exposes a risk. Now, I can only assume most people in the waiting room are there and not thinking too deeply about all of this—the truth is we don't know who is in a waiting room, and scammers and fraudsters are becoming incrementally more clever. Personal information—as complete as the one described above—should not be this accessible to an unknown audience. Regardless of whether the new phlebotomy clinic location was a temporary set-up, protecting patient safety goes beyond safe care given by professionals. Personal data protection should be embedded into the planning of the hospital care set-up, as the most vulnerable people are known to be found in these spaces and fraudsters are actively looking for new and clever opportunities to prey on them. It would be utopian to believe that we are surrounded by people with good intentions only; the reality is that data protection exists due to a real threat from fraudsters, and everyone is at risk. Making private information accessible in communities can cause harm to patients outside of the seemingly safe and harmless waiting room.
