NHS Orkney sorry after records accessed inappropriately

  • Published
Balfour hospital Kirkwall
Image caption,

NHS Orkney has reported the data breach to the information commissioner

NHS Orkney has revealed a data breach affecting patients in Stronsay.

The incident came to light after a member of the public complained to the health board.

An investigation confirmed records may have been accessed inappropriately by a staff member.

Health officials have apologised and said the employee involved no longer works for NHS Orkney. The matter has been reported to the Information Commissioner's Office.

Interim chief executive Michael Dickson said: "This has fallen far short of the behaviour we expect from those working for us. We take patient confidentiality very seriously.

"We have taken steps to review and reinforce our procedures for staff accessing medical records and additional data protection training is being delivered.

"I would like to reassure the individuals affected that there is no evidence that any data has been amended, downloaded, removed, or forwarded."

Image source, NHS Orkney
Image caption,

Interim Chief Executive at NHS Orkney Michael Dickson has apologised "unreservedly" for the breach

The health board has written to everyone affected.

In July 2020, the then Cabinet Secretary for Health, Jeane Freeman MSP, brought in external help to make sure NHS Orkney was following data security rules.

It followed three previous breaches in less than two months, which saw patients' Covid test results sent to a local business, staff travel details wrongly supplied to a reporter on The Orcadian newspaper, and a patient being given someone else's discharge letter.

Stephen Brown, chief officer of Orkney Health and Care - which commissions services from the health board - told BBC Radio Orkney, external those incidents had involved "clearly accidental sharing of information in ways that should never have happened."

He said those lessons had been learned, and NHS Orkney does all it can to protect data.

"But", he said, "in this instance there is no doubt that the individual concerned had deliberately accessed records for nothing more than curiosity.

"Whilst we can put in place a whole number of measures, it can sometimes be impossible when someone takes that particular stance."

Image source, Lis Burke
Image caption,

The data breach involved patients in the island of Stronsay

And, he said, the health board had "upped the number of random audits on case files" to try and detect unusual patterns of access, and was reminding staff "of their responsibilities in relation to information handling".

But, he warned, "as you can imagine, with the number of patient records there are, there is no sophisticated software that would allow us to identify if someone with no professional legitimate reason was accessing a record."

A Scottish government spokesperson said: "We are aware of a data breach that has been investigated by NHS Orkney and reported to the Information Commissioner's Office.

"An independent review of NHS Orkney's information governance procedures was concluded in October 2020 and an action plan, that included strengthening staff training across all the island GP practices, was put in place.

"In light of this recent breach, we will provide whatever support is necessary to ensure lessons are learned and this doesn't happen again."

Related internet links

The BBC is not responsible for the content of external sites.