Investigation after patient’s details used for Facebook pestering

The woman was a patient at Edinburgh Royal Infirmary. Pic by Lisa Jarvis.

A HOSPITAL cleaner tracked down a woman and pestered her on Facebook after stealing her details from a computer screen.

An investigation is now under way into the serious breach of patient confidentiality, after the cleaner poached the patient’s records from an electronic display meant only for nurses.

The worker noticed the woman while she was being treated at the accident and emergency department of Edinburgh Royal Infirmary, one of Scotland’s biggest hospitals.

The patient- who was being treated for a hand injury- had no contact with the cleaner but the next day, he sent her a message on the social networking site Facebook, inviting her to become his friend.

The woman, who has asked not to be identified, received five messages from the cleaner in total.

In the messages, the cleaner jokingly admitted using hospital computers to look up her personal details and track her down online.

The patient and her family today called for an inquiry into how patients’ records are protected.

The worker, who was employed by Consort  – the private firm contracted to clean Edinburgh Royal Infirmary – has been suspended.

NHS Lothian has referred the matter to police, who have launched an investigation.

The woman said: “I was really upset when I read the e-mail.

“I didn’t know who he was, what he was capable of, or whether he also knew my address and phone number. I didn’t know if he was just going to turn up at the house.

It’s just wrong in so many ways.

“I’ve got two boys at home – one aged two, the other six months – so I was worried for them, too. I’ve been told by the police I’m not allowed to go out by myself, or go out when it’s dark. It’s really serious.”


The cleaner first contacted her last Thursday, the day after she received treatment for a hand injury in the accident and emergency unit.


She received a Facebook friendship request with the message: “Btw if ur wonderin who I am, I was checkin u out yest J ha hows the hand? X”

When she asked who he was, he replied: “I work in a&e, random ano lol delete me if u want, just thought u were nice!”

In another message, he claimed he had found her name on one of the hospital’s computers after she left.

The woman, who lives in Edinburgh, said: “I went to the hospital because I fell and broke two fingers on my right hand.

“I can remember seeing him cleaning, and my dad, who was with me, remembers him, but I don’t remember him even looking at me, let alone “checking me out.”

The family complained about the messages to NHS Lothian.

There, health chiefs referred the case to Lothian and Borders Police, and also informed Consort, which employed the cleaner.

After making the complaint, the patient then received a final message from him asking her not to take the matter any further because he did not want to lose his job before Christmas.

But terrified by the lack of patient confidentiality, the family is now demanding a full review of security of patient details.

The woman said: “The hospital should have better data-protection measures in place to stop this happening in the first place.

“How was he able to get across to the computer? My family and I will be taking this further.

“There should be more security in place. There should ne an inquiry into how they protect patient information.”

The Scotland Patients’ Association is backing the request and is calling for the cleaner to be immediately dismissed, rather than suspended.

Chairwoman Margaret Watt said: “ It is an absolute disgrace. He stalked her. Not only has this man let down himself, but he’s let down patients all over Scotland.

He should be immediately dismissed from his post. The idea of him potentially coming back to work is ridiculous. It’s a totally unforgivable thing to do.

“There definitely needs to be more safeguards in place and security over records. We are concerned about confidentiality.”

She added: “We do know that these kinds of things are going on, although we don’t know to what extent.  But if there is another party involved, then they ought to be punished too. This man obviously managed to get the patient’s name and if someone left her file down by mistake then they should take responsibility for their actions too.

She added: “This has hugely overstepped the mark.  Patient will lose faith in their hospitals if this is the kind of thing that’s going on.

“It will plant a seed of doubt in people’s heads and they might think that their files have been hacked too.”

Jackie Sansbury, chief operating officer of NHS Lothian, said they took patient confidentiality extremely seriously.

She said: “An incident involving an employee from an independent contractor was reported and immediate action was taken.

“It has been reported to Lothian and Borders Police, and therefore it would be inappropriate to comment further.”

Ms Sansbury denied earlier reports that the hospital’s computer systems had been hacked in to.

She said: “A full review of our confidential patient record and monitoring system has now been carried out and shows that our systems were not breached by this individual. Therefore he had no access to private medical records and information which is protected by a range of complex security systems.

“We understand that this member of contracted staff only gained the patient’s name from an electronic screen for staff showing a floor plan in the treatment area of Accident and Emergency Department, in much the same way as a patient’s name would be displayed above their bed in a ward area.

“This in no way excuses behaviour of this kind however and security messages have been reinforced to our staff and sub-contracted employees to ensure they comply with our data security guidelines. Any member of staff who breaks our rules will face investigation under our disciplinary procedures. “

A spokeswoman for Consort, the cleaning company, added: “Consort Health Care takes allegations of confidentiality very seriously.

“When an incident involving an employee was reported, immediate action was taken. Also, the matter was reported to police; therefore it would be inappropriate to comment further.”

Last month, dozens of health staff in the Lothians were disciplined for breaching confidentiality rules over patient records.

One was sacked and received a criminal caution, a second worker was suspended and others were given final warnings.

The figures were released in a report compiled by civil liberties campaign group Big Brother Watch as a result of freedom of information requests.

Police confirmed the new allegations, involving the hospital cleaner, were currently under investigation.

A Lothian and Borders spokeswoman said: “We can confirm that a complaint has been received, and we are looking into it.”

A spokesman for the UK Information Commissioner, which oversees data protection in Scotland, said: “It is important hospitals do as much as they can to keep patient’s records secure.

“As this is a police investigation, we cannot comment further.”


  1. You are being a bit naive VJ. Facebook wasn’t the issue. Its the access to information that could potentially be used for identity theft or other serious fraud crimes. This was a disturbing incident but as the victim mentioned it could have been worse. I have to admit I have walked past lots of screens that were left open whilst visiting in hospital.

    • I don’t think VJ is being naive. He is right in what he is saying. Why would she even accept the friend request in the first place? If she didn’t know him??

      I also think Chairwoman Margaret Watt from the Scotland Patients’ Association should get her facts right rather than make incorrect comments. There was no other parties involved nor was there any files inappropriately left somewhere by mistake. They clearly say he has taken the patients name from the computer screen.

      Its about time NHS Lothian gets the respect they deserve.

  2. How did he come across the info? Really? If you work in the ER (A&E) then it is incredibly easy to do so. Notice patient in room X, cruise by a nurses computer, cross-check room X and find the patient’s name. Then just go on facebook. Yes, privacy filters should probably be on the screens, but it’s not like this janitor had permission to view or utilize confidential info. There’s no way his personal account would give him access. This is a problem with a person abusing information he essentially stealing information he is not authorized to have. There likely isn’t really a privacy issue that needs to be dealt with at the hospital. I also don’t see how this would even qualify as harassment. Oh well.

Comments are closed.