More than 5,000 NHS Scotland data breaches since 2023
- 13 July 2026
- A Freedom of Information (FOI) investigation by The Ferret has revealed more than 5,000 NHS Scotland data breaches since 2023
- At least 182 staff have been disciplined and six incidents referred to Police Scotland
- Most breaches involved information governance failures, including unauthorised record access and cyber-related incidents
More than 5,000 data breaches have been recorded across NHS Scotland health boards since January 2023, with at least 182 members of staff disciplined and six incidents referred to Police Scotland, according to a Freedom of Information (FOI) investigation by The Ferret.
The findings highlight the scale of information governance incidents across Scotland’s NHS, ranging from emails sent to the wrong recipients to unauthorised access to confidential patient records and cyber-related data breaches.
Responses from Scotland’s 14 territorial health boards revealed at least 5,000 reported breaches during the period covered by the FOI requests. The true figure is likely to be higher because some organisations were unable to provide complete data or declined to respond in full.
NHS Greater Glasgow and Clyde recorded the highest number of incidents, with 1,335 data breaches, followed by NHS Lanarkshire with 1,138 and NHS Borders with 525.
NHS Dumfries and Galloway disclosed 607 data incidents but said reviewing each case individually to determine whether they constituted data breaches would exceed cost limits under FOI legislation.
An Information Commissioner’s Office (ICO) spokesperson told The Ferret: “Patient data is highly sensitive information that must be handled carefully and securely. When accessing healthcare services, people need to trust that their data is in safe hands.
“We expect all health boards to have robust technical controls, clear staff training, and strong cultures of accountability in place. Where organisations do not comply with the law, we will take action.”
NHS Lanarkshire said 171 staff members had faced disciplinary action following data breaches, although no members of staff were dismissed.
The board was formally reprimanded by the ICO in 2023 after staff shared confidential patient information in an unauthorised WhatsApp group more than 500 times between 2020 and 2022.
NHS Lothian reported 14 breaches during the period covered by The Ferret’s FOI requests. The board also dismissed six members of staff and referred six cases to Police Scotland.
The board has previously investigated incidents involving the inappropriate access of cancer patients’ medical records and the unauthorised viewing of more than 150 colleagues’ health records.
A Scottish government spokesperson said: “The privacy of patients and service staff is paramount, and we expect all NHS boards and delivery partners to protect and respect individuals’ information and rights at all times.
“Recognising the ever-increasing cyber and information threats faced across health and care, we also work with boards to ensure they receive the support, guidance and assurance needed to respond effectively when a reportable incident occurs.”
The investigation also refers to the 2024 cyber attack on NHS Dumfries and Galloway, which exposed significant volumes of patient and staff data, as well as a separate third-party cyber security incident that exposed NHS staff phone numbers across multiple Scottish health boards.
Cyber security expert Saif Abed, founding partner at the AbedGraham Group, told Digital Health News: “The NHS, unfortunately, lacks transparency with the public when it comes to the scale of data breaches. The fact that it takes a series of FOI requests to unmask the scale of the problem reflects this.
“Even more worrying is the weak response by both health boards and the ICO in terms of taking meaningful punitive enforcement and disciplinary measures to stem the behaviour that leads to these types of breaches.
“This is all indicative of a wider malaise at executive levels as far as data privacy and cyber security are concerned.”
