A reporter exposed a “serious” data breach after gaining access to medical records and other sensitive material without being challenged – despite multiple security warnings.

Eastern Daily Press journalist Sabrina Johnson, pictured, discovered confidential patient records, staff notes and sensitive files after she was able to walk into an abandoned care home in Norfolk.

Sabrina’s investigation has now prompted action both from Norfolk County Council and the Information Commissioner’s Office.

Pine Heath nursing home in High Kelling, near Holt, closed suddenly in May 2017 after it was placed in special measures after being rated inadequate in a report by the CQC.

The EDP splashed on Sabrina’s investigation on Friday

Despite security signs promising 24-hour security, dog patrols and more, there was no evidence of any such measures in place and Sabrina walked unchallenged into the building through an open door following a tip-off from a reader.

There, she found piles of discarded sensitive material including private patient records, as well as boxes of nursing records dating back more than a decade and care plans with photographs of former residents stuck on to the front.

In another room Sabrina saw unlocked filing cabinets containing dozens of staff records, including holiday forms, meeting notes, sickness forms and p45s, while former residents’ wallets and loyalty cards lay on a desk.

Norfolk County Council’s data protection team have moved to secure the paperwork after being alerted to Sabrina’s findings by the Norwich-based EDP, while the ICO is now assessing the information provided by the newspaper.

Sabrina told HTFP: “This was a breach of people’s personal data, which should have never been allowed to happen.

“When I saw what had been left at Pine Heath I was shocked, not only by the quantity of sensitive documents but also by the way they had been left unsecured in the dilapidated building.

“And I wasn’t alone, following our story readers have also shared their shock at the breach.

“Our story led to Norfolk County Council to go to the home to secure the documents and the Information Commissioner’s Office is launching an investigation which we will be following up on.”

A council spokesperson said: “Everyone has a right to expect their personal information to be stored securely, and the failure of the former care provider at Pine Heath to do so is a serious breach of both data protection legislation and their contractual obligations to Norfolk County Council.

“As Pine Heath is no longer operating and to ensure the personal information was secured, NCC has taken steps to secure the files to ensure that individuals’ personal data is no longer at risk.

“The matter has been reported to the Information Commissioner’s Office (ICO) to allow them to investigate further and we will cooperate with them as required to resolve this matter.”