AN UNIDENTIFIED person gained access to a Fife a hospital ward and gained personal information relating to 14 patients.

The person, who has not yet been traced after CCTV had accidentally been switched off, also helped with administering care to one patients during the incident which took place earlier this year.

This week, the Information Commissioner’s Office (ICO) has issued a reprimand to NHS Fife and ordered that improvements take place to prevent a repeat.

It confirmed that in February 2023, an unauthorised person gained access to a ward. Due to a lack of identification checks and formal processes, the non-staff member was handed a document containing personal information of 14 people and assisted with administering care to one patient.

The data was taken off site by the person and has not been recovered.

The ICO said that while the hospital had CCTV installed, the wall socket with the CCTV had been accidentally turned off by a member of staff prior to the incident.

Hindered by the lack of CCTV, police have not been able to identify the person or recover the lost data.

The ICO’s investigation concluded that NHS Fife did not have appropriate security measures for personal information, as well as low staff training rates.

Following this incident, NHS Fife has introduced new measures such as a system for documents containing patient data to be signed in and out, as well as updated identification processes.

Natasha Longson, ICO Head of Investigations, said: “Patient data is highly sensitive information and must be handled with the appropriate security.

"When accessing healthcare and other vital services, people need to trust that their data is secure and only available to authorised individuals.

“Every healthcare organisation should look at this case as a lesson learned and consider their own policies when it comes to security checks and authorised access. We are pleased to see NHS Fife has introduced new measures to prevent similar incidents from occurring in the future.”

The ICO recommended that NHS Fife could improve its data protection compliance by improving the overall training rate, in line with current legislation.

For example, refresher data protection training should be provided to all staff more frequently and underpinned by written guidance on security for employees.

It recommended the health board develops guidance or a policy in relation to formal ID verification and reviews all policies available from their intranet, ensuring that they are all up-to-date and accurate, with archived versions clearly marked.

The ICO has asked NHS Fife to provide an update of actions taken within six months of the reprimand being issued.

Responding to the incident, a spokesperson for NHS Fife said: “Earlier this year an individual purporting to be a member of agency nursing staff attended St Andrews Community Hospital.

“The individual was only on a ward for a short period of time and left shortly after being challenged by a member of the nursing team. While the person was never alone with any patient, they did have access to a handover document containing information relating to patients on the ward.

“NHS Fife and Fife Health and Social Care Partnership, who operate the facility, immediately reported the incident to Police Scotland and also referred the incident to the Information Commissioners Office. The patients involved and their families were informed of this breach of security.

"We acknowledge the findings of the Information Commissioners Office, and have apologised to those involved.

"A range of additional measures were put in place shortly after the incident to prevent such a matter from occurring again in future.

"We have since carried out a Significant Adverse Event Review and a working group has been established to implement the recommendations of both the Information Commissioner and the findings of our own review across the entirety of NHS Fife."