An investigation has been launched by Police Scotland after the medical records of more than 150 NHS Lothian staff members were “inappropriately accessed” by a colleague, the Scotsman reported.
After a delay in searching for a record of the incident, due to NHS Lothian being unable to provide certain details over fears of patient confidentiality, Police Scotland has confirmed that the breach was traced to a staff member at the Edinburgh Royal Hospital.
The time period in which medical records were accessed is unknown, but a spokesperson for Police Scotland confirmed that it was reported to officers in Edinburgh on Tuesday February 2.
Affected staff members were informed of the incident by letters sent out a few days later.
The issue was detected when NHS Lothian’s routine monitoring system picked up unusual activity showing that one staff member had viewed the medical records of other staff members outside of normal duties.
It is understood to have affected more than 150 NHS Lothian staff members, all of whom have been contacted to let them know.
Information which may have been accessed includes the dates of any appointments staff members attended as patients, waiting lists they were on, details of their medical conditions, and the date and location of any inpatient admissions and discharges.
A spokesperson for Police Scotland said: “Officers in Edinburgh received a report around 2.35pm on Tuesday 2, February, of data protection offences by a member NHS staff at the Royal Edinburgh Hospital.
“Enquiries into the incident are ongoing.”
Dr Tracey Gillies, Medical Director for NHS Lothian, said: “NHS Lothian has become aware that a member of staff may have inappropriately accessed staff records. We swiftly started an enquiry into this matter and as part of this investigation we are contacting anyone whose records have been accessed.
“NHS Lothian takes incidents like this extremely seriously and we have written to offer our sincere apologies to those affected. The breach was picked up by our Fair Warning system, which is an e-health monitoring system. Our robust monitoring identified this activity and it was reported to Police Scotland as soon as we became aware of the breach.”