Hospitals across the UK have been urged to review their data protection policies following an incident at NHS Fife that saw an unauthorized individual break into a ward to steal patient data.
An investigation by the Information Commissioner’s Office (ICO) found that an unauthorized person was able to gain access to systems belonging to the hospital in February 2023, leading to the removal of sensitive information from the site.
NHS Fife was found to have inappropriate security controls in place for processing personal information or validating personnel access. It was also found to have exhibited poor levels of staff training around topics like data protection, according to the ICO.
The ICO outlined a number of steps NHS Fife, and other hospitals across the country, could take to improve its data protection compliance.
First is to improve the overall staff training rate, particularly ensuring staff frequently undergo refresher training sessions on data protection to reinforce robust cyber security habits. The ICO has also urged hospitals to develop their own formal ID verification policies, and make these available to employees through its intranet.
Healthcare organizations have been warned to review their data breach reporting process and ensure all personal data breaches are reported within 72 hours.
"Patient data is highly sensitive information that must be handled with the appropriate security,” said the ICO’s head of investigations, Natasha Longson. “When accessing healthcare and other vital services, people need to trust that their data is secure and only available to authorized individuals.”
“Every healthcare organization should look at this case as a lesson learned and consider their own policies when it comes to security checks and authorized access. We are pleased to see that NHS Fife has introduced new measures to prevent similar incidents from occurring in the future.”
Alarming data protection failings at NHS Fife
The incident at NHS Fife was a rare example of a person gaining physical access to a site to steal patient data.
Maximize performance and delivery great outcomes
DOWNLOAD NOW
The unauthorized person was able to access a hospital ward without having to present ID verification. Once on the ward, the suspect is said to have been handed a document containing personal information belonging to 14 people.
The unauthorized person even assisted with administering care to one patient, according to the ICO’s investigation.
The site's CCTV policies were also found to be inadequate, as the system failed to capture the suspect breaking into the ward after a staff member accidentally turned off the wall socket powering the network.
The personal information was eventually taken off site by the individual, and has so far not been recovered.
