DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

U.K.: Hospitals urged to improve data protection standards following incident at NHS Fife

Posted on November 28, 2023 by Dissent

From the Information Commissioner’s Office:

The Information Commissioner’s Office (ICO) has issued a reprimand to NHS Fife, after an unauthorised person was able to enter a ward and access the personal information of 14 patients.

In February 2023, an unauthorised person gained access to a ward. Due to a lack of identification checks and formal processes, the non-staff member was handed a document containing personal information of 14 people and assisted with administering care to one patient.

The data was taken off site by the person and has not been recovered. While the hospital had CCTV installed, the wall socket with the CCTV had been accidentally turned off by a member of staff prior to the incident. The police have not been able to identify the person or recover the lost data, hindered by the lack of CCTV footage.

The ICO’s investigation concluded that NHS Fife did not have appropriate security measures for personal information, as well as low staff training rates. Following this incident, NHS Fife introduced new measures such as a system for documents containing patient data to be signed in and out, as well as updated identification processes.

Patient data is highly sensitive information that must be handled with the appropriate security. When accessing healthcare and other vital services, people need to trust that their data is secure and only available to authorised individuals.

Every healthcare organisation should look at this case as a lesson learned and consider their own policies when it comes to security checks and authorised access. We are pleased to see that NHS Fife has introduced new measures to prevent similar incidents from occurring in the future. – Natasha Longson, ICO Head of Investigations

Recommendations

The ICO recommended that NHS Fife could improve its data protection compliance by:

  • Improving the overall training rate, in line with current legislation. For example, refresher data protection training should be provided to all staff more frequently and underpinned by written guidance on security for employees The ICO has helpful resources on staff training.
  • Developing guidance or a policy in relation to formal ID verification.
  • Reviewing all policies available from their intranet, ensuring that they are all up-to-date and accurate, with archived versions clearly marked.
  • Revisiting the data breach reporting process and ensure relevant personal data breaches are reported within 72 hours.

The ICO has asked NHS Fife to provide an update of actions taken within six months of the reprimand being issued.

In light of this incident, all organisations should consider whether they have appropriate identification processes and training in place.

Category: Health DataNon-U.S.

Post navigation

← International collaboration leads to dismantlement of ransomware group in Ukraine amidst ongoing war
North Texas Municipal Water District hit by ransomware attack →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon
  • US govt login portal could be one cyberattack away from collapse, say auditors
  • Two Men Sentenced to Prison for Aggravated Identity Theft and Computer Hacking Crimes
  • 100,000 UK taxpayer accounts hit in £47m phishing attack on HMRC
  • CISA Alert: Updated Guidance on Play Ransomware

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant
  • US State Dept. says silence or anonymity on social media is suspicious

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.