NHS patient data breached at least 1,395 times in two years

Dozens of NHS staff have been disciplined after data laws to protect patient’s personal information were breached at least 1395 times over the last two years, we can reveal.

Freedom of information requests sent to every NHS board in Scotland found there were at least 1,395 breaches recorded and 73 people have faced disciplinary action. Four people have been reported to Police Scotland. Several boards did not disclose figures so the total could be higher.

Our requests for information on NHS data breaches were prompted by the case of a radiographer who accessed the personal records of more than 200 female patients before stalking them.

Andrew Stewart, 32, worked at hospitals in Lanarkshire and Ayrshire where he dealt with hundreds of patients. He used his position to look up files of women he’d treated and made a note of their contact details.

The medic then pestered the women, some of whom were domestic abuse victims, with a string of messages on Facebook and WhatsApp in a bid to have relationships with them.

One of his victims – Vivien Hamilton – spoke to The Ferret about how his behaviour and said it forced her to move home. We’ll report her story tomorrow.

In response to The Ferret’s investigation, Action Against Stalking said it was “very concerning” that data breaches within the NHS “appears to be an ongoing issue”. The Scottish Liberal Democrats said the figures were “extremely troubling” while Scottish Labour said data protection laws are “only as good as the people controlling them”. 

The health boards said in reply they take the issue of patients’ confidentiality extremely seriously.

Breaches of personal data cover a broad range of scenarios including unlawful access and the deletion of files. 

I find these figures very concerning. Data breaches within the NHS appears to be an ongoing issue and quite concerning given the small number of cases being reported to the police

Ann Moulds, CEO of Action Against Stalking

Organisations must notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people’s rights and freedoms. 

If an organisation decides against making a report, the ICO says they should keep a record of it and be able to explain why it wasn’t reported if necessary.

Most NHS boards provided figures in reply to our requests for information but some said they were unable to.

NHS Greater Glasgow and Clyde recorded the highest number of breaches. It said that since January 2018 the board has recorded 673 data breaches of which 95 per cent were the result of human error. Five per cent (34) resulted in disciplinary action. The board said it does not “routinely report serious data breaches” to the police, instead letting the ICO investigate and liaise with the procurator fiscals office if they believe criminal charges should be brought.

NHS Tayside said there have been 273 data breaches but said it could not disclose what action, if any, has been taken against staff because the information is “not held centrally”.

NHS Lanarkshire said there have been 220 incidents recorded. These resulted in 34 first written warnings, one second and final written warning, and four people were given “formal counselling”. Three incidents were reported to the police. We asked if these people were still employed but the trust refused to say. 

In a statement, Kay Sandilands, NHS Lanarkshire director of human resources, said the board “takes patient confidentiality and data breaches extremely seriously” and will take “appropriate action against any staff member involved in a data breach”.

NHS Borders revealed there had been 95 recorded data breaches, with no individuals dismissed. One person resigned before an investigation was concluded, it said.

NHS Ayrshire and Arran said it could not provide figures for the number of breaches but said one case was referred to Police Scotland. NHS Ayrshire & Arran’s medical director Dr Crawford McGuffie said: “We have organisational policies and procedures in place to ensure the safe handling of personal information. Any identified breach will be fully investigated and appropriate action taken.”

NHS Western Isles  said there were 84 breaches since May 2018 but no staff have been disciplined. 

NHS Shetland reported 24 data breaches to the ICO between January 2018 and February 2021. “The vast majority of these reports were due to patient information being disclosed to the wrong person because of administrative errors. There have been no disciplinary measures against staff or reports to Police Scotland,” its FOI reply added.

NHS staff have access to a great deal of personal sensitive data, so boards must ensure they have the appropriate measures and training in place to ensure people’s information is handled responsibly

Information Commissioner’s Office

There were eight data breaches recorded by NHS Orkney and notified to the ICO. “In terms of disciplinary situations, NHS Orkney is not able to break this information down any further on the grounds that individuals may be able to be identified,” its response added.

NHS Grampian said 45 incidents have been recorded but that no further action was taken. There were six recorded by NHS Highland and each was reported to the ICO. No members of staff have been disciplined or dismissed.

NHS Dumfries and Galloway said there were 12 breaches but refused to confirm or deny if any action has been taken.

NHS Forth Valley did not disclose figures but said: “Any breaches are taken very seriously.” NHS Lothian did not specify figures, arguing it did not have people’s consent to “release data from their records”

NHS Fife said our freedom of information request was not received.

Ann Moulds, chief executive officer of Action Against Stalking, said: “I find these figures very concerning. Data breaches within the NHS appears to be an ongoing issue and quite concerning given the small number of cases being reported to the police.

“However what is more concerning  in this particular case, this sexual predator had free access to be in close contact women within his professional role, and then was free to harvest their information to be used to further his sexual advancements towards them – and would have continued to have done so unchecked, had one of the women not raised the alarm.

She claimed there was a “complete failure to implement reasonable and robust data protecting security protocols and processes” by the NHS, adding: “What evidence is there to ensure such situations are not happening across other NHS trusts.”

We have organisational policies and procedures in place to ensure the safe handling of personal information. Any identified breach will be fully investigated and appropriate action taken

Dr Crawford McGuffie, medical director at NHS Ayrshire & Arran

A spokesperson for the Information Commissioner’s Office said people have the right to expect that “organisations will handle their personal information securely”. 

The ICO added: “NHS staff have access to a great deal of personal sensitive data, so boards must ensure they have the appropriate measures and training in place to ensure people’s information is handled responsibly.

Scottish Labour deputy leader and health and social care spokesperson Jackie Baillie said: “Data laws exist to protect people and in the case of hospital records, it is vital that personal – and potentially very sensitive – information is properly controlled.

She added: “Unauthorised breaches of data, especially for malicious or improper purposes, must be fully investigated and, when necessary, referred to the police. Data protection laws are only as good as the people controlling them. Assurances must be given that the highest standards are being applied to ensure all patient information is being properly safeguarded.”

Scottish Liberal Democrats health spokesperson Alex Cole-Hamilton said the “overwhelming majority” of NHS staff would “never dream of abusing their position”. But he said these data breaches are “nevertheless extremely troubling”.

“Patients need to have confidence that the information they provide will be handled appropriately. Health boards must ensure that appropriate training and security measures are in place to avoid personal data falling into the wrong hands,” Cole-Hamilton added.

Photo thanks to iStock and rajurahman85

Good journalism changes things

The Ferret was established in 2015 with a mission to publish fearless, high quality journalism.

Since then thousands of people have joined us. We hope you will too.

We're a cooperative with places reserved for both our writers and subscribers on the board.

We're independently regulated, and work hard to keep our overheads down. This means that all the money we get from our subscribers is invested directly in original public interest news.

We're avowedly non-partisan so we can treat everyone fairly. We don't publish click bait and we don't do favours for political parties or powerful vested interests. We do help to change things.

Or see your other subscription options.

Got a story idea?

Tell us what you'd like us to write about next and vote up the best ideas.

Hi! You can login using the form below.
Not registered yet?
Having trouble logging in? Try here.