DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

UK: NHS Grampian out of compliance with Data Protection Act – again.

Posted on November 19, 2014 by Dissent

From the Information Commissioner’s Office:

The Information Commissioner’s Office (ICO) has ordered Grampian Health Board (NHS Grampian) to take action to make sure patients’ information is better protected.

The warning comes after six data breaches within a thirteen month period where papers containing sensitive personal data were left abandoned in public areas of the hospital and one case where the information was found at a local supermarket. All of the papers were returned to staff, with the final incident occurring on 28 March 2014.

The ICO’s investigation found the same mistakes continued to occur because NHS Grampian didn’t have an information register identifying the personal information held and the department responsible for looking after it. This gap in their procedures resulted in the organisation failing to take sufficient remedial action. The ICO previously alerted NHS Grampian to this oversight during an audit carried out in December 2011, but the organisation failed to act.

This is not the first time Grampian NHS has been required to sign an undertaking. In September 2009, PHIprivacy.net reported that Grampian had signed an undertaking following three separate incidents: a nursing manager had inappropriately emailed 50 staff with sensitive personal details relating to a patient, lack of secure storage on the labor ward enabled someone to remove the personal details of 200 patients from a confidential waste sack, and a laptop with unencrypted details of 1,500 patients in the gastroenterology clinic was stolen from a locked office.

In 2012, this site noted a report that 50 patient records had gone missing or were lost in the previous year. At that time, the public did not know about the consensual audit Grampian had undergone or its findings.

The ICO’s current enforcement notice requires Grampian to produce an overarching high level information asset register assigning owners in line with best practice, by 22 June 2015. The register must explain which areas of the organization are responsible for keeping the personal information they handle secure. Grampian must provide a progress report showing how these improvements are being made by 31 March 2015, and confirm completion by 29 June 2015.

Given its past history, Grampian should consider itself fortunate that there was no monetary penalty.

Category: Uncategorized

Post navigation

← Identity thieves hit 2 Metro Detroit hospitals
Staples Confirms POS Malware Attack →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • The headlines suggested Freedman Healthcare suffered a ransomware attack that affected patient data. The reality was quite different.
  • Runsafe report: Medical device cyberattacks threaten patient care, strain budgets, top concern for healthcare sector
  • Ryuk ransomware’s initial access expert extradited to the U.S. from Ukraine
  • Alleged Geisinger hacker will defend himself pro se.
  • Tallahassee Memorial Healthcare reveals it was also impacted by Cerner/Legacy Oracle cyberattack
  • Hospital cyberattack investigation complete, no formal review needed
  • Largest Ever Seizure of Funds Related to Crypto Confidence Scams
  • IMPACT: 170 patients harmed as a result of Qilin’s ransomware attack on NHS vendor Synnovis
  • DOJ’s Data Security Program: Key Compliance Considerations for Impacted Entities
  • UBS reports data leak after cyber attack on provider, client data unaffected

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • DOJ’s Data Security Program: Key Compliance Considerations for Impacted Entities
  • 23andMe fined £2.31 million for failing to protect UK users’ genetic data
  • DOJ Seeks More Time on Tower Dumps
  • Your household smart products must respect your privacy – including your air fryer
  • Vermont signs Kids Code into law, faces legal challenges
  • Data Categories and Surveillance Pricing: Ferguson’s Nuanced Approach to Privacy Innovation
  • Anne Wojcicki Wins Bidding for 23andMe

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.