Aberdeen Royal Infirmary suffered a potential data security breach after a man was caught allegedly pretending to be a doctor at the hospital, it was revealed today.
NHS Grampian reported the incident to data protection watchdog the Information Commissioner’s Office (ICO) earlier today after The Press and Journal revealed a 20-year-old man had been arrested on January 26.
It’s claimed he fraudulently posed as both a medicine student and qualified medic on various occasions for weeks before ARI security staff apprehended him in the Green Zone of the emergency department last Friday.
The P&J also understands that he’s facing allegations that he stole laptops and pagers.
An official at the ICO said it’s “assessing” a data breach that was reported to it by the health board on Wednesday.
Regulator ‘assessing’ report of ‘data breach’ at Aberdeen Royal Infirmary
Organisations are legally obligated to notify the ICO within 72 hours, or three days, of becoming aware of a personal data breach, unless it does not pose a risk to people’s rights and freedoms.
The ICO spokesman said today: “We can confirm we have received a report of a data breach from NHS Grampian and are assessing the information provided”.
The P&J had previously asked the north-east health authority shortly after midday yesterday if NHS bosses were aware of data breaches and whether they had reported any to the ICO.
A senior figure said that a detailed response to our query would not be possible before at least early afternoon today.
It was only after ICO told The Press and Journal late this afternoon that the health board had reported a potential data breach, that NHS Grampian then confirmed to us that it had made contact with the regulator.
A health board spokeswoman had previously told us on Monday night that the alleged pretend doctor did not have any contact with patients or access to their medical records.
Today, in a new statement, the NHS Grampian spokeswoman said: “Internal investigations into this matter are ongoing. We have made the Information Commissioner’s Office aware of the incident and will follow any guidance they offer.”
Court appearance expected after ‘fake doctor’ arrest and alert over report of data security breach
The Information Commissioner’s Office defines personal data breaches as security incidents that have affected the confidentiality, integrity or availability of personal data.
Such incidents include the unauthorised disclosure of, or access to, personal data by a third party.
Computing devices containing personal data that have been either lost or stolen would also be a potential matter to be probed by the ICO, its website explains.
A spokeswoman for Police Scotland previously confirmed that officers “were made aware of a man falsely claiming to be a member of staff at Aberdeen Royal Infirmary around 4.40am on Friday 26 January.”
She added: “A 20-year-old man was arrested and charged in connection with the incident. He was released on an undertaking to appear in court at a later date.”
For all the latest court cases in Aberdeen as well as crime and breaking incidents, join our Facebook group.