Grampian Health Board rapped over patient data security failures
Scottish NHS organisation warned over mishandling of data after sensitive information abandoned in supermarket
The Information Commissioner's Office (ICO) has ordered the Grampian Health Board to clean up its act after suffering six data breaches in thirteen months.
The data protection watchdog said the healthcare organisation had to take action to ensure patient information is better protected.
The ICO listed a series of incidents, including the abandonment of sensitive personal data in public areas of the hospital and one case where patient data was found at a local supermarket.
All of the papers were returned to staff, with the final incident occurring on 28 March 2014.
The regulator's investigation found the same mistakes continued to occur because NHS Grampian didn't have an information register identifying the personal information held and the department responsible for looking after it.
This gap in procedures resulted in the organisation failing to take sufficient remedial action, the ICO ruled.
It also previously alerted NHS Grampian to this oversight during an audit carried out in December 2011, but the organisation failed to act.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
ICO assistant commissioner for Scotland, Ken Macdonald, said: "It's a fundamental requirement of the Data Protection Act that organisations understand what personal information they hold and who is responsible for looking after it on a day-to-day basis.
"NHS Grampian failed to do this, despite committing to addressing this problem when our office highlighted it as an issue during an audit three years ago.
"We hope this enforcement notice gives the organisation a further chance to put their house in order and look after the information of the people they serve."
Mr Macdonald said failure to comply with the notice was a criminal offence.
"If any further breaches occur, we do not rule out taking further regulatory action, including fining the organisation up to 500,000," he added.
The health board has until 29 June 2015 to complete an information asset register.
Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.