‘Fake nurse’ gave care to patient at Scottish hospital
A health board in Scotland has been reprimanded after a woman pretending to a nurse gave care to a patient and stole sensitive medical records.
The Information Commissioner’s Office (ICO) has issued NHS Fife with a reprimand following the incident, which occurred at St Andrews Community Hospital earlier this year.
The suspect has not been identified and the documents are still missing.
In February 2023, an unauthorised person gained access to a ward by pretending to be a member of agency nursing staff.
“Every healthcare organisation should look at this case as a lesson learned”
Natasha Longson
Due to a lack of identification checks, the non-staff member was able to assist with administering care to one patient and was also given a document containing personal information of 14 people.
This data was then taken off site by the individual and has still not been recovered.
NHS Fife has apologised for the incident.
A spokesperson for the health board said: “Earlier this year an individual purporting to be a member of agency nursing staff attended St Andrews Community Hospital.
“The individual was only on a ward for a short period of time and left shortly after being challenged by a member of the nursing team.
“While the person was never alone with any patient, they did have access to a handover document containing information relating to patients on the ward.”
NHS Fife said that it immediately reported the incident to Police Scotland as well as the ICO.
Patients affected by the incident and their families were also informed of the breach.
The ICO explained in its reprimand that, while the hospital had CCTV installed, the wall socket that the CCTV was connected to had been accidentally turned off by a member of staff before the incident took place.
As such, police have been unable to identify the person or the lost data.
This means there remains a “potential on-going risk” to the data subjects, as the intentions of the unauthorised individual are unknown, the ICO warned.
Its investigation concluded that NHS Fife did not have appropriate security measures for personal information, and lacked staff training on topics like data protection.
The commissioner noted that, following the incident, the health board had introduced new measures such as a new system for documents containing patient data to be signed in and out, as well as an updated verification process.
The spokesperson for NHS Fife added: “We acknowledge the findings of the Information Commissioners Office and have apologised to those involved.
“A range of additional measures were put in place shortly after the incident to prevent such a matter from occurring again in future.
“We have since carried out a significant adverse event review and a working group has been established to implement the recommendations of both the information commissioner and the findings of our own review across the entirety of NHS Fife.”
ICO head of investigations, Natasha Longson, said: “Every healthcare organisation should look at this case as a lesson learned and consider their own policies when it comes to security checks and authorised access.
“We are pleased to see that NHS Fife has introduced new measures to prevent similar incidents from occurring in the future.”