'Fake nurse' entered St Andrews Community Hospital, helped treat patient and left with medical documents

A health board has been reprimanded after an unauthorised person gained access to a hospital ward, helped treat a patient, and made off with sensitive medical documents.

The Information Commissioner's Office (ICO) said police have been unable to identify the person responsible or recover the lost data as the investigation had been hindered due to the CCTV "accidentally" being switched off.

The incident happened at St Andrews Community Hospital in February 2023.

NHS Fife said the individual was able to gain access after "purporting to be a member of agency nursing staff" but left shortly after being challenged by another worker.

The ICO said the person assisted with administering care to a patient and was handed a document that contained the personal information of 14 people.

The ICO said the person was able to access the ward "due to a lack of identification checks and formal processes".

The data protection watchdog confirmed the hospital had CCTV, but the wall socket it was connected to was "accidentally turned off" by a staff member prior to the incident.

The ICO has now reprimanded NHS Fife for its security failings that led to the loss of the personal medical data.

Natasha Longson, ICO head of investigations, said: "Patient data is highly sensitive information that must be handled with the appropriate security.

"When accessing healthcare and other vital services, people need to trust that their data is secure and only available to authorised individuals.

"Every healthcare organisation should look at this case as a lesson learned and consider their own policies when it comes to security checks and authorised access."

Read more from Sky News:
Police investigation launched into former NHS neurologist

Wilko boss explains chain's collapse

Following the incident, NHS Fife introduced new measures such as a system for documents containing patient data to be signed in and out, as well as updated identification processes.

The ICO provided recommendations - including improving the overall training rate - and has asked the health board to provide an update of actions taken within six months of the reprimand being issued.

A spokesperson for NHS Fife said: "Earlier this year an individual purporting to be a member of agency nursing staff attended St Andrews Community Hospital.

"The individual was only on a ward for a short period of time and left shortly after being challenged by a member of the nursing team.

"While the person was never alone with any patient, they did have access to a handover document containing information relating to patients on the ward."

NHS Fife and Fife Health and Social Care Partnership, who operate the facility, immediately reported the incident to Police Scotland and referred it to the ICO.

The spokesperson added: "The patients involved and their families were informed of this breach of security.

"We acknowledge the findings of the ICO, and have apologised to those involved.

"A range of additional measures were put in place shortly after the incident to prevent such a matter from occurring again in future.

"We have since carried out a significant adverse event review and a working group has been established to implement the recommendations of both the information commissioner and the findings of our own review across the entirety of NHS Fife."