Grampian Health Board rapped over patient data security failures
Scottish NHS organisation warned over mishandling of data after sensitive information abandoned in supermarket


The Information Commissioner's Office (ICO) has ordered the Grampian Health Board to clean up its act after suffering six data breaches in thirteen months.
The data protection watchdog said the healthcare organisation had to take action to ensure patient information is better protected.
The ICO listed a series of incidents, including the abandonment of sensitive personal data in public areas of the hospital and one case where patient data was found at a local supermarket.
All of the papers were returned to staff, with the final incident occurring on 28 March 2014.
The regulator's investigation found the same mistakes continued to occur because NHS Grampian didn't have an information register identifying the personal information held and the department responsible for looking after it.
This gap in procedures resulted in the organisation failing to take sufficient remedial action, the ICO ruled.
It also previously alerted NHS Grampian to this oversight during an audit carried out in December 2011, but the organisation failed to act.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
ICO assistant commissioner for Scotland, Ken Macdonald, said: "It's a fundamental requirement of the Data Protection Act that organisations understand what personal information they hold and who is responsible for looking after it on a day-to-day basis.
"NHS Grampian failed to do this, despite committing to addressing this problem when our office highlighted it as an issue during an audit three years ago.
"We hope this enforcement notice gives the organisation a further chance to put their house in order and look after the information of the people they serve."
Mr Macdonald said failure to comply with the notice was a criminal offence.
"If any further breaches occur, we do not rule out taking further regulatory action, including fining the organisation up to 500,000," he added.
The health board has until 29 June 2015 to complete an information asset register.
Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.
-
Jensen Huang thinks the UK has immense AI potential – but it still has a lot of work to do
News The Nvidia chief exec described the UK as a “fantastic place for VCs to invest” but stressed hardware has to expand to reap the benefits
-
Crayon targets mid-market gains with expanded Google Cloud partnership
News The collaboration will enable mid-market channel partners to deliver Google Cloud’s AI technologies and cloud solutions
-
Two more NHS Trusts have been hit with cyber attacks – here’s what we know so far
News A flaw in a third-party device management tool appears to be the source of the incident
-
NHS England launches cyber charter to shore up vendor security practices
News Voluntary charter follows a series of high-profile ransomware attacks
-
NHS supplier hit with £3m fine for security failings that led to attack
News Advanced Computer Software Group lacked MFA, comprehensive vulnerability scanning and proper patch management
-
Cyber attack delayed cancer treatment at NHS hospital
News A cyber attack at Wirral University Teaching Hospital in 2024 delayed critical cancer treatment for patients, documents show.
-
Alder Hey Children’s Hospital confirms hackers gained access to patient data through digital gateway service
News Europe’s busiest children’s hospital confirmed attackers were able to steal data from a compromised digital gateway service
-
Major incident declared as Merseyside hospitals hit by cyber attack
News The incident, which has led to cancelled appointments, is just the latest in a series of attacks on healthcare organizations
-
AI recruitment tools are still a privacy nightmare – here's how the ICO plans to crack down on misuse
News The ICO has issued guidance for recruiters and AI developers after finding that many are mishandling data
-
“You must do better”: Information Commissioner John Edwards calls on firms to beef up support for data breach victims
News Companies need to treat victims with swift, practical action, according to the ICO