Hundreds of NHS Highland staff and patients impacted by data breaches

The private details of almost 300 NHS Highland staff and patients were exposed due to data breaches over an almost 18-month period.

Figures obtained through a freedom of information request (FOI) revealed 272 people were impacted in seven serious data breaches at the health board in the last two years.

All seven breach incidents – involving “accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data” – were reported to the Information Commissioner’s Office (ICO).

Four of the breaches happened in 2024 and three in 2025, including one in just the last month.

Two breaches were a result of technical errors, while four were incidents of human error, and one was a result of a cyber attack on a supplier to NHS Highland.

The health board conducted a review into each incident and carried out what it called “mitigations” including staff training in an attempt to prevent future breaches.

A spokesperson for NHS Highland said: “NHS Highland is committed to safeguarding patient confidentiality and addresses data breaches with the highest level of seriousness. We will consistently take decisive action to prioritise the protection of patients’ privacy and confidentiality at all times.”

However, the health board is no stranger to data breaches. In 2021, human error resulted in 124 patients having their names and addresses included in Covid vaccine letters sent to other patients.

In 2022, Thurso resident Peter Todd lodged several complaints after he was concerned that his own medical records had gone missing, as he received records belonging to another patient.

Highland MSP Emma Roddick (SNP) also previously suffered a mix-up with her own files.

She said: “This is something that has been raised with me by multiple patients, and I have also raised my own data issues after having requested a copy of my records, so, I entirely appreciate and empathise with the distress folk feel when they read something that they shouldn’t have seen or worry about their own information being shared with others.

“I have spoken with NHS Highland about this, and the strong advice given is to report each data breach, allowing the health board to look into it, find out why it has happened, apologise, and stop it from happening again.

“I am more than happy to support constituents to make complaints or pursue investigations, either for individual reasons or to support wider campaigns for better data protection.”

NHS Highland was reprimanded in 2023 after it copied 37 people into an email, inviting them to use HIV services and revealing all of their individual email addresses to each other.

Last year saw the second-highest annual number of data breaches recorded by the health board in the past seven years (four), only beaten by 2022’s total of six.

Scottish Conservative Highlands and Islands MSP Edward Mountain added: “We all know that there are unscrupulous hackers out there who are looking for information.

“It is unacceptable that NHS Highland have allowed patient and staff records to get into the wrong hands.

“There is nothing more private than your medical notes, and I hope that NHS Highland have sensitively reached out to those people who have been affected.”

Local Democracy Reporting by Olivia Andrews