The Information Commissioner's Office (ICO) has ordered the Grampian Health Board to clean up its act after suffering six data breaches in thirteen months.
The data protection watchdog said the healthcare organisation had to take action to ensure patient information is better protected.
The ICO listed a series of incidents, including the abandonment of sensitive personal data in public areas of the hospital and one case where patient data was found at a local supermarket.
All of the papers were returned to staff, with the final incident occurring on 28 March 2014.
The regulator's investigation found the same mistakes continued to occur because NHS Grampian didn't have an information register identifying the personal information held and the department responsible for looking after it.
This gap in procedures resulted in the organisation failing to take sufficient remedial action, the ICO ruled.
It also previously alerted NHS Grampian to this oversight during an audit carried out in December 2011, but the organisation failed to act.
ICO assistant commissioner for Scotland, Ken Macdonald, said: "It's a fundamental requirement of the Data Protection Act that organisations understand what personal information they hold and who is responsible for looking after it on a day-to-day basis.
"NHS Grampian failed to do this, despite committing to addressing this problem when our office highlighted it as an issue during an audit three years ago.
"We hope this enforcement notice gives the organisation a further chance to put their house in order and look after the information of the people they serve."
Mr Macdonald said failure to comply with the notice was a criminal offence.
"If any further breaches occur, we do not rule out taking further regulatory action, including fining the organisation up to 500,000," he added.
The health board has until 29 June 2015 to complete an information asset register.
-
Should AI PCs be part of your next hardware refresh?AI PCs are fast becoming a business staple and a surefire way to future-proof your business
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
NHS supplier hit with £3m fine for security failings that led to attackNews Advanced Computer Software Group lacked MFA, comprehensive vulnerability scanning and proper patch management
-
Cyber attack delayed cancer treatment at NHS hospital
News A cyber attack at Wirral University Teaching Hospital in 2024 delayed critical cancer treatment for patients, documents show.
-
Alder Hey Children’s Hospital confirms hackers gained access to patient data through digital gateway serviceNews Europe’s busiest children’s hospital confirmed attackers were able to steal data from a compromised digital gateway service
-
Major incident declared as Merseyside hospitals hit by cyber attackNews The incident, which has led to cancelled appointments, is just the latest in a series of attacks on healthcare organizations
-
AI recruitment tools are still a privacy nightmare – here's how the ICO plans to crack down on misuseNews The ICO has issued guidance for recruiters and AI developers after finding that many are mishandling data
-
“You must do better”: Information Commissioner John Edwards calls on firms to beef up support for data breach victimsNews Companies need to treat victims with swift, practical action, according to the ICO
-
LinkedIn backtracks on AI training rules after user backlashNews UK-based LinkedIn users will now get the same protections as those elsewhere in Europe
-
UK's data protection watchdog deepens cooperation with National Crime AgencyNews The two bodies want to improve the support given to organizations experiencing cyber attacks and ransomware recovery
