The Information Commissioner's Office (ICO) has ordered the Grampian Health Board to clean up its act after suffering six data breaches in thirteen months.
The data protection watchdog said the healthcare organisation had to take action to ensure patient information is better protected.
The ICO listed a series of incidents, including the abandonment of sensitive personal data in public areas of the hospital and one case where patient data was found at a local supermarket.
All of the papers were returned to staff, with the final incident occurring on 28 March 2014.
The regulator's investigation found the same mistakes continued to occur because NHS Grampian didn't have an information register identifying the personal information held and the department responsible for looking after it.
This gap in procedures resulted in the organisation failing to take sufficient remedial action, the ICO ruled.
It also previously alerted NHS Grampian to this oversight during an audit carried out in December 2011, but the organisation failed to act.
ICO assistant commissioner for Scotland, Ken Macdonald, said: "It's a fundamental requirement of the Data Protection Act that organisations understand what personal information they hold and who is responsible for looking after it on a day-to-day basis.
"NHS Grampian failed to do this, despite committing to addressing this problem when our office highlighted it as an issue during an audit three years ago.
"We hope this enforcement notice gives the organisation a further chance to put their house in order and look after the information of the people they serve."
Mr Macdonald said failure to comply with the notice was a criminal offence.
"If any further breaches occur, we do not rule out taking further regulatory action, including fining the organisation up to 500,000," he added.
The health board has until 29 June 2015 to complete an information asset register.
-
RSAC Conference 2025: The front line of cyber innovationITPro Podcast Ransomware, quantum computing, and an unsurprising focus on AI were highlights of this year's event
-
Anthropic CEO Dario Amodei thinks we're burying our heads in the sand on AI job lossesNews With AI set to hit entry-level jobs especially, some industry execs say clear warning signs are being ignored
-
Two more NHS Trusts have been hit with cyber attacks – here’s what we know so farNews A flaw in a third-party device management tool appears to be the source of the incident
-
NHS England launches cyber charter to shore up vendor security practices
News Voluntary charter follows a series of high-profile ransomware attacks
-
NHS supplier hit with £3m fine for security failings that led to attack
News Advanced Computer Software Group lacked MFA, comprehensive vulnerability scanning and proper patch management
-
Cyber attack delayed cancer treatment at NHS hospital
News A cyber attack at Wirral University Teaching Hospital in 2024 delayed critical cancer treatment for patients, documents show.
-
Alder Hey Children’s Hospital confirms hackers gained access to patient data through digital gateway serviceNews Europe’s busiest children’s hospital confirmed attackers were able to steal data from a compromised digital gateway service
-
Major incident declared as Merseyside hospitals hit by cyber attackNews The incident, which has led to cancelled appointments, is just the latest in a series of attacks on healthcare organizations
-
AI recruitment tools are still a privacy nightmare – here's how the ICO plans to crack down on misuseNews The ICO has issued guidance for recruiters and AI developers after finding that many are mishandling data
-
“You must do better”: Information Commissioner John Edwards calls on firms to beef up support for data breach victimsNews Companies need to treat victims with swift, practical action, according to the ICO
