NHS data breach exposes 24 staff data in Scotland

NHS

The private data of 24 NHS employees have been caught up in a data breach, reports reveal.

The data breach occurred after personal details were sent in an email to senior executives, but also to 24 NHS staff members who were off work with sickness.

Mental health issues, surgery information, and data on individuals who had suffered accidents, were also compromised in the data breach.

In the aftermath, the Information Commissioner’s Office (ICO) launched an official investigation which eventually traced the origins of the data breach back to an employee relations team in the HR department in Glasgow.

When staff realised they had made a mistake, a second email was sent out to the recipients of the first email ordering them not to open the first communication.

In a letter of apology, NHS 24’s human resources business partner, Louise Gordon, wrote:

“Unfortunately, I am writing to let you know about a data security incident that involved your personal information.

“I wish to personally apologise for this error and unintended consequences.”

A person close to the issue at NHS 24 said:

“It is a matter of concern that an organisation that deals with the personal medical information data of thousands of members of the public cannot protect the privacy of their own staff.”

Scottish Labour Health spokeswoman Monica Lennon MSP said:

“This is an extremely serious data breach. Staff will rightly be outraged their personal information has been inappropriately shared in this way.

“Both NHS 24 and ministers must provide reassurances this will not happen again.”

An NHS spokeswoman said:

“NHS 24 conducted an investigation as soon as we were made aware of a potential data protection breach. In line with protocols, we informed the ICO of the potential breach.

“Following a full investigation, we were advised that no action would be taken.”

The ICO said: “NHS 24 Scotland reported this incident to us and this matter has now been closed.”


Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.

Reserve your place before 2nd October, and receive VIP access to PrivSec Global which includes priority access to limited space sessions, workshops, networking opportunities and exclusive content.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.