A Perthshire woman says she has been left “devastated” after a Ninewells Hospital worker twice snooped on her records.
Details including the 56-year-old’s name, date of birth, address and hospital appointments were accessed on two occasions.
The woman, from Inchture, first suspected her data had been breached when the NHS Tayside worker – who she knew personally – let slip private information during an argument between the pair.
The woman was not attending Ninewells at the time but had records from previous treatment at the hospital.
NHS Tayside has since admitted the employee had “no legal basis” to access the records and has apologised for the breach.
Woman ‘incensed’ after Ninewells data breach
The woman, who asked not to be named, told The Courier: “I was incensed when I found out – I just thought, ‘How dare they?’
“When NHS Tayside got back to tell me there had been a breach I was quite devastated.
“I wanted to know what was accessed – I didn’t let it go and have reported it to the police.
“It still bothers me because I think of who the person could have told.
“I am exhausted with this.”
The woman discovered the breach in March 2023, when it was reported to both NHS Tayside and Police Scotland.
It was also referred to the Information Commissioner’s Office (ICO), which found that the health board had not complied with data protection obligations.
The watchdog upheld the woman’s complaint and made recommendations to NHS Tayside, including mandatory training for staff and updates to procedures.
The woman believes that the employee who accessed her data is still working at Ninewells.
She said: “I worked in the NHS for years and would have lost my job if I did something like this.
“I want people going into Ninewells to know the employee is still there and is still able to access data.”
Health board admits worker had ‘no legal basis’ to breach patient’s confidentiality
In a letter to the Inchture woman, NHS Tayside admitted that her data had been accessed on two occasions – November 10 2021 and April 21 2022.
It said: “NHS Tayside accept that the individual that accessed your records did so inappropriately, with no legal basis to do so, and confirmed to you that this was a breach of your confidentiality in the form of inappropriate access of your health information via the Trakcare patient administration system.
“The data that was accessed within the Trakcare system included your name, address, date of birth, telephone number and information relating to past and future hospital appointments.”
It added: “NHS Tayside wishes to apologise to you again for this breach and assure you that we take the security of your personal data very seriously.
“Due process has been followed by NHS Tayside around the investigation of this data breach.”
NHS Tayside won’t say if worker still employed after Ninewells data breach
NHS Tayside has refused to confirm whether the staff member still works at the hospital.
A spokesperson said: “We have apologised to the woman involved about what has happened and remain in direct contact with her to respond to any outstanding concerns she has.
“NHS Tayside takes the security of patient data extremely seriously and any recorded data breaches are investigated by the Information Governance and Cyber Assurance Team.
“This particular breach was reported to the Information Commissioner’s Office and they have also investigated the matter.
“NHS Tayside has a duty to look after the information that we hold and everyone who processes or accesses information has a responsibility to ensure they comply with data protection legislation, information security and records management.
“Staff are frequently made aware of their responsibilities with respect to data protection and confidentiality, and the need to undertake mandatory information governance training.
“NHS Tayside also has an electronic privacy monitoring system within clinical systems across the organisation to proactively detect unauthorised or inappropriate access to electronic health records.”
A Police Scotland spokesperson said: “We can confirm that police did receive a report regarding this matter on Wednesday March 22 2023 and Friday October 12 2023.
“Advice was given to the reporter and they were advised to contact the relevant agencies.”
Conversation