Lothian NHS workers caught looking at their own medical records

New figures have shown that the number of breaches of IT policy detected at NHS Lothian was on course to more than treble this year, compared with just two years ago.

And it is understood that many of the cases relate to staff members who have been caught looking at their own medical records out of curiosity, unaware that health bosses view it as a serious breach of rules.

Other staff members have faced serious disciplinary action after subverting software to access websites including Facebook, which are banned by the health board’s IT systems.

A source said that on another occasion several workers were given final warnings for accessing the medical records of notorious child killer Peter Tobin, after he was admitted to Edinburgh Royal Infirmary.

Disciplinary action was taken by the health board in almost three-quarters of cases when a breach was detected, with most handed final written warnings and some sacked or resigning before disciplinary action was completed.

Tom Waterson, Unison branch chair for Lothian, said that the union was representing an ever-increasing number of workers who had been caught breaching IT rules.

“Quite a lot of it is people going in and having a look at their own medical records out of curiosity. There is a fair warning system on the computers but people don’t always read it and they don’t actually realise they’re not allowed to look at their own records, but it’s treated the same way as if they looked at someone else’s.

“Usually they get a final written warning but if you breach it again then you’re out. In other cases staff have been able to circumvent the firewall that only allows them access to some sites.

“They’re not doing it to get on dodgy websites, but because it’s deliberate and they’ve worked out how to get round the system it’s taken very seriously.”

The figures, released under the Freedom of Information Act, show that of the 105 data breaches between January 2010 and October this year, disciplinary action was taken in 73 cases. First and final warnings were given to 53 people, eight were given written warnings, four were given counselling, three resigned and three were sacked. In some cases no action was deemed necessary and others are ongoing.

Mr Waterson said that he believed staff in less senior roles were more likely to be punished for IT breaches.

The statistics show that almost 80 per cent of nurses and 71 per cent of administration staff who committed IT breaches faced disciplinary action, but it was taken in just 58 per cent of cases when medical staff were the culprits.

“The medical staff tend not to get done, that is something I’ve noticed,” he added.

Dr David Farquharson, NHS Lothian’s medical director, said: “NHS Lothian takes patient confidentiality and the inappropriate use of information technology very seriously.

“We have a number of policies covering data security and information technology in the workplace. Any staff member who breaks our rules will face investigation under our disciplinary procedures.”