DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

UK: NHS Grampian out of compliance with Data Protection Act – again.

Posted on November 19, 2014 by Dissent

From the Information Commissioner’s Office:

The Information Commissioner’s Office (ICO) has ordered Grampian Health Board (NHS Grampian) to take action to make sure patients’ information is better protected.

The warning comes after six data breaches within a thirteen month period where papers containing sensitive personal data were left abandoned in public areas of the hospital and one case where the information was found at a local supermarket. All of the papers were returned to staff, with the final incident occurring on 28 March 2014.

The ICO’s investigation found the same mistakes continued to occur because NHS Grampian didn’t have an information register identifying the personal information held and the department responsible for looking after it. This gap in their procedures resulted in the organisation failing to take sufficient remedial action. The ICO previously alerted NHS Grampian to this oversight during an audit carried out in December 2011, but the organisation failed to act.

This is not the first time Grampian NHS has been required to sign an undertaking. In September 2009, PHIprivacy.net reported that Grampian had signed an undertaking following three separate incidents: a nursing manager had inappropriately emailed 50 staff with sensitive personal details relating to a patient, lack of secure storage on the labor ward enabled someone to remove the personal details of 200 patients from a confidential waste sack, and a laptop with unencrypted details of 1,500 patients in the gastroenterology clinic was stolen from a locked office.

In 2012, this site noted a report that 50 patient records had gone missing or were lost in the previous year. At that time, the public did not know about the consensual audit Grampian had undergone or its findings.

The ICO’s current enforcement notice requires Grampian to produce an overarching high level information asset register assigning owners in line with best practice, by 22 June 2015. The register must explain which areas of the organization are responsible for keeping the personal information they handle secure. Grampian must provide a progress report showing how these improvements are being made by 31 March 2015, and confirm completion by 29 June 2015.

Given its past history, Grampian should consider itself fortunate that there was no monetary penalty.

Category: Uncategorized

Post navigation

← Identity thieves hit 2 Metro Detroit hospitals
Staples Confirms POS Malware Attack →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Massachusetts hacker to plead guilty to PowerSchool data breach
  • Cyberattack brings down Kettering Health phone lines, MyChart patient portal access (1)
  • Gujarat ATS arrests 18-year-old for cyberattacks during Operation Sindoor
  • Hackers Nab 15 Years of UK Legal Aid Applicant Data
  • Supplier to major UK supermarkets Aldi, Tesco & Sainsbury’s hit by cyber attack with ransom demand
  • UK: Post Office to compensate hundreds of data leak victims
  • How the Signal Knockoff App TeleMessage Got Hacked in 20 Minutes
  • Cocospy stalkerware apps go offline after data breach
  • Ex-NSA bad-guy hunter listened to Scattered Spider’s fake help-desk calls: ‘Those guys are good’
  • Former Sussex Police officer facing trial for rape charged with 18 further offences relating to computer misuse

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Telegram Gave Authorities Data on More than 20,000 Users
  • Police secretly monitored New Orleans with facial recognition cameras
  • Cocospy stalkerware apps go offline after data breach
  • Drugmaker Regeneron to acquire 23andMe out of bankruptcy
  • Massachusetts Senate Committee Approves Robust Comprehensive Privacy Law
  • Montana Becomes First State to Close the Law Enforcement Data Broker Loophole
  • Privacy enforcement under Andrew Ferguson’s FTC

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.