Published: 11:50, 21 August 2014
Codes for key safes and names, addresses and telephone numbers of dozens of elderly and vulnerable people were accidentally sent out on an email.
As many as 120 people under the care of Kent Social Care Professionals (KentSCP) had their safety compromised after the list was unintentionally distributed to almost 200 people.
Although the recipients were mostly care workers, the sensitive information was also sent to relatives of those who had nothing to do with those named in the documents.
Addresses were in New Ash Green, Swanley, Hextable, Northfleet, Gravesend, Dartford, Meopham, Istead Rise, Greenhithe, West Kingsdown and Longfield.
Both KentSCP and Kent County Council – which awarded the company a contract to provide home care in Gravesham, Dartford and Swanley in April – are investigating.
One of those who received the email was Dennis Barnes in Dorset, registered to care for the affairs of his aunt who is in KentSCPs care.
He forwarded it to KentOnline after informing the company involved.
He said: "My wife was incorrectly sent the very sensitive email, which had an attachment of five pages which detailed members of the public's home key code numbers and addresses. It also had personal phone numbers of all people on the list.
"With this list a criminally minded individual could phone an address to see if the home was occupied. If no answer they could let themselves in via the key code box which holds a spare front door key."
After the first email went out, a follow up email was sent from KentSCP to say there had been a breach in the Data Security Act and asked that the email be destroyed.
Compliance manager Cathy Hadlow said KentSCP took the "safety and privacy of our clients very seriously and would like to reassure people that immediate actions were taken to inform and safeguard everyone involved".
"With this list a criminally minded individual could... let themselves in via the key code box which holds a spare front door key..." - Dennis Barnes
The number of emails sent with the information attached was 198 with the "vast majority" sent to care workers. The other 16 were sent to family members of service users.
Ms Hadlow said: "An email was sent to inappropriate recipients. The email contained a list of names, addresses, phone numbers and key safe numbers.
"We were immediately aware of what had happened, and began taking steps to inform the people whose data had been compromised, and to get the key safe numbers changed.
"Some service users were contacted directly, for some we contacted family members, or we sent care workers to explain in person and change the codes.
"By the end of the day that the email was sent, the majority of the numbers were changed, or family members informed.
"Apart from five instances of people who have for various reasons refused – and we have to respect their personal choice – all of the key safe numbers affected are either changed or the keys have been removed."
Since it happened, emailing from the company's database has been disabled while the incident is investigated and key safe numbers are no longer emailed.
Data protection training sessions are also being held for staff.
KentSCP domiciliary care agency provides care and support for people in their own homes.
Care is provided for a range of people, including the elderly and those with dementia.
A Care Quality Commission report in August found the agency met all standards of care.
Ms Hadlow said: "A follow-up email was sent around noon on the same day, to the people who had received the list asking them to delete it.
"We knew we could not be confident that everyone would comply, as is evident from the fact that one recipient forwarded it to you.
"We reported the breach to CQC on the same day, and to the police on the following day."
A Kent County Council spokesman said: "Our contracts with home care providers include stringent data protection requirements.
"We have received a report from Kent SCP detailing the breach and the actions taken. Kent SCP acted quickly to minimise any risks and will be undertaking a full investigation.
"We expect the provider to keep us fully informed of the actions taken to make sure that such a breach does not happen again. KCC is also carrying out its own investigation in accordance with our Information Security Incident Protocol."