Thousands of patients’ data exposed in NHS Scotland data breaches

Everyone’s medical history and records should be confidential and secure in the hands of the NHS. But there have been serious privacy breaches resulting in dozens of staff being disciplined and police investigations.

Exterior of an NHS building with a large blue and white NHS logo mounted on the cream-coloured wall beneath a blue sky with scattered clouds.
Image thanks to Marbury/iStock

Scotland’s NHS boards have recorded more than 5,000 data breaches over the last four years, The Ferret can reveal.

Incidents included staff sharing confidential patient information, a cancer patient's medical records being wrongly accessed, and private phone numbers exposed after a cyber attack.

Freedom of information requests sent to Scotland’s 14 health boards also found that Police Scotland has been informed of data breaches six times, while at least 182 staff faced disciplinary sanctions.

Politicians said our findings were “really concerning”. The Information Commissioner’s Office (ICO) – the organisation tasked with enforcing data protection laws – said patient data is “highly sensitive” and health boards are legally obliged to protect it, or face sanctions.

Owned by readers. Built for accountability.

The Ferret is member-owned journalism. That means we can follow leads that matter even when they’re uncomfortable for the powerful.

Join as a member

Health boards are expected to collect, store, use, share and dispose of personal information, or data about individuals, in line with UK data protection laws.

While most of the breaches were for relatively minor issues such as emails being sent to the wrong recipient, concerns have been raised over measures in place to protect sensitive pieces of personal information.

The ICO – an independent authority set up to uphold information rights in the public interest – has broad powers and can serve enforcement notices on data controllers and fine them heavily. Breaching the data protection rules can also, in certain circumstances, be a criminal offence.

If an organisation decides against making a report, the ICO says they should keep a record of it and be able to explain why it was not reported.

We asked health boards how many data breaches they have had since January 2023 and if any staff members were disciplined as a result or reported to Police Scotland.

Most NHS boards provided information but some did not so the number of breaches are likely to be higher.

NHS Board responses

NHS Lanarkshire revealed there had been 1,138 breaches since January 2023. Of these, 171 resulted in staff being disciplined but there have been no dismissals regarding breaches to data.

In 2023 it emerged that NHS Lanarkshire staff shared confidential patient information in an unauthorised WhatsApp group. An ICO investigation found 26 employees shared the names, phone numbers, addresses and clinical information on over 500 occasions between April 2020 and April 2022. The ICO concluded that NHS Lanarkshire lacked appropriate policies around the use of WhatsApp for patient information during the pandemic. The health board, which apologised to patients, received a formal reprimand and was told to improve its data protection practices.  

NHS Lothian logged 14 breaches since over the same period, dismissed six staff members and reported six to police. Last year a woman was charged after around 100 patients had their medical records accessed in a data breach at the health board.

In 2023 a Scots cancer patient was told by NHS Lothian that his medical records had been accessed by staff in a data breach. The health board refused to say then if the staff member had been dismissed, but added that the breach would be fully investigated. The incident affected around 90 people, and followed a similar incident in February 2021, in which an internal audit found that an employee had accessed over 150 NHS colleagues' medical records. 

NHS Dumfries and Galloway was hit by a cyber-attack in 2024 which put a "significant quantity" of data at risk and the files accessed could include "patient-identifiable and staff-identifiable data". It disclosed 607 “data incidents” but said it would be too costly to review each individual case for data breaches.

Two years ago NHS staff had their phone numbers exposed in a cybersecurity incident involving a third-party supplier used by multiple health boards. NHS Grampian confirmed staff phone numbers had been obtained, whilst NHS Dumfries and Galloway issued an alert to staff. The ICO was notified and staff were told to remain alert for suspicious calls or texts. 

Everyone who uses our NHS should be able to do so safely in the knowledge that their medical history and records are safe.

NHS Grampian said an average of 417 reports were made each year about “personal data issues”. The majority of these were “low risk, are managed without harm to the data subject and do not meet the threshold for reporting to the ICO,” the board said. Sixty-eight incidents were reported to the ICO but the board could not provide further information because it is “not centrally recorded”.

NHS Highland told The Ferret there were 10 personal data breaches. They were referred to the ICO but no further action was taken. Over an 18-month period this affected 272 NHS Highland staff and patients. The breaches included human error, technical failures, and a cyber-attack on the NHS Highland supplier. In 2021, human error resulted in 124 patients having their names and addresses included in Covid-19 vaccine letters sent to other patients. In 2022, Thurso resident Peter Todd lodged several complaints after he received records belonging to another patient. He was concerned that his own medical records had gone missing.

NHS Ayrshire & Arran said there had been 164 data breaches. Earlier this year it reported an incident in which a member of staff at University Hospital Crosshouse in Kilmarnock inappropriately accessed electronic patient records. The health board notified the ICO and the Scottish Government and said the staff member no longer works for NHS Ayrshire and Arran.

“The outcome of these investigations can range from early resolution through to dismissal,” the health board told The Ferret. “We have dismissed no staff relating to breaches. Police Scotland are only contacted where the breach is found to be of a level where this would be an appropriate course of action and this has only happened once.”

NHS Greater Glasgow and Clyde had 1,335 incidents but it could not say if any employees were disciplined because its “digital services team does not hold any information on the action taken against individual staff members”.

NHS Forth Valley had 249 breaches and “[fewer] than five” people were disciplined. It would not give further details as it argued this could lead to people being identified.

NHS Orkney recorded five, NHS Shetland had 183 incidents and four were reported to the ICO, although no staff members were disciplined or reported to the police.

NHS patient data breached at least 1,395 times in two years
Dozens of NHS staff have been disciplined after data laws to protect patient’s personal information were breached at least 1395 times over the last two years, we can reveal. Freedom of information requests sent to every NHS board in Scotland found there were at least 1,395 breaches recorded

NHS Western Isles had 107 data breaches but no-one was referred to police. It could not say if any staff were disciplined because the data is “not captured in the incident reporting system”.

NHS Fife said it reported 40 data breaches to the ICO but could not give further details.

NHS Tayside did not provide information. It said the scope of The Ferret’s request was “very broad and due to NHS Tayside being a very large organisation, a lot of the requested information is not centrally held or readily available”.

NHS Borders had 525 breaches but claimed that providing further information would breach the Data Protection Act 2018.

Five years ago The Ferret revealed there had been 1,395 data breaches in Scotland in just two years. Our requests for information on NHS data breaches were prompted by the case of a radiographer who accessed the personal records of more than 200 female patients before stalking them.

Andrew Stewart worked at hospitals in Lanarkshire and Ayrshire where he dealt with hundreds of patients. He used his position to look up files of women he had treated and made a note of their contact details. The medic then pestered the women, some of whom were domestic abuse victims, with a string of messages on Facebook and WhatsApp in a bid to have relationships with them. One of his victims, Vivien Hamilton, told The Ferret that this harassment forced her to move home.

Woman stalked by radiographer after NHS file accessed speaks out
A woman stalked by a radiographer after he stole her NHS files has spoken for the first time about the impact of his actions on her life and how she moved home. Waiving her anonymity, Vivien Hamilton spoke to The Ferret because she wants to help other women who may

‘Really concerning’

An ICO spokesperson said: “Patient data is highly sensitive information that must be handled carefully and securely. When accessing healthcare services, people need to trust that their data is in safe hands. We expect all health boards to have robust technical controls, clear staff training, and strong cultures of accountability in place. Where organisations do not comply with the law, we will take action."

Kayleigh Kinross-O'Neill, the Scottish Greens MSP, said: “This is really concerning and will have an impact on patient and staff confidence. Everyone who uses our NHS should be able to do so safely in the knowledge that their medical history and records are safe.”

She added: “NHS data controllers need to look at the processes they are using and if they are as strong as they should be. Our health boards need to work with patient groups and others to ensure that they build a system that works for all patients and medical staff.”

A Scottish Government spokesperson said: “The privacy of patients and service staff is paramount and we expect all NHS boards and delivery partners to protect and respect individuals’ information and rights at all times.”

“Recognising the ever-increasing cyber and information threats faced across health and care, we also work with boards to ensure they receive the support, guidance and assurance needed to respond effectively when a reportable incident occurs.”

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to The Ferret.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.