Blog Data Breach – Safety Related Breach

A sponsor was running a phase 3 pivotal study for a relapsed leukaemia therapy in multiple European countries where a novel biological combination therapy was assessed against standard of care. The study produced several Suspected Unexpected Serious Adverse Reactions (SUSARs).

The study also involved several different specialised laboratories, some in the EU, some in the USA. In several instances local hospital laboratories were used for general bold chemistry testing. Because of the nature of the disease patient were often well known to hospital staff.

Pharmacovigilance services were provided by a US based vendor, so that all Individual Case Safety Reports were processed in the USA. Processing of SUSAR ICSRs needs to be completed within seven days of the sponsor becoming aware of them. Each one involved sending a large package of documentation to the safety vendor for processing, including bold chemistry results.

Unfortunately, in several instances the hospital staff failed to redact the blood chemistry results sheet and it was sent to the safety vendor as such. This was picked up during a review of the ICSR by the Sponsor Responsible Person and communicated to the Sponsor Data Protection Officer.

As luck would have it, this came to light late on a Friday afternoon in the USA Pacific Time, so that the DPO only became aware of it when they opened their email on Saturday morning. The DPO immediately initiated an investigation into a possible serious data breach based on a clock of 72 hours from when the email was sent by the RPEV, adjusted to EU Central Time meaning that the question of whether to report to the data subject or the relevant supervisory authority had to be made by Monday evening.

The GDPR requires the DPO breach investigation determine, within 72 hours, if a breach represents a risk to the data subject rights and freedoms. If it presents a risk the relevant supervisory authority must be immediately informed; if it is determined that a high risk exists then the data subject must also be informed.

Thanks to a trans-Atlantic series of coordinated actions involving the CRO, the site and PV vendor, it was possible to completely contain the breach, to ensure that all the parties concerned were contracted with strong confidentiality language, that no data was forwarded beyond two PV vendor staff, and to delete irreversibly the data that had been inadvertently shared.

In this way it was possible to make a determination at the end of the Monday, just before the 72-hour deadline, that there was no risk to the rights and freedoms of the data subject concerned.

Remedial actions include further educating hospital staff regarding GDPR rules, implementing an update to the data breach SOP, implementing a system to alert the DPO during out of office hours, weekends and holidays, and producing a detailed report assessing the breach and its conclusion.