The Information Commissioner’s Office (ICO) announced yesterday that it had fined a private health company, HCA International Ltd, £200 000 for failing to keep fertility patients’ personal information secure. Back in April 2015, a patient found that transcripts of interviews with Lister Hospital IVF patients could be freely accessed by searching online. A subsequent ICO investigation revealed that the hospital had been sending unencrypted audio recordings by email to a company in India since 2009 to be transcribed. Unfortunately the Indian company could not restrict access to the personal information because it stored audio files and transcripts using an unsecure server. The ICO therefore found that HCA International breached the Data Protection Act 1998 by failing to ensure that their sub-contractor acted responsibly. Sadly this incident is part of a wider trend, with the healthcare sector accounting for 46% of the self-reported data protection incidents handled by the ICO in 2015-16. More generally though, it is a reminder to us all that you can outsource an activity but you cannot outsource the responsibilities to your stakeholders.