The Scottish Ambulance Service (SAS) is investigating an alleged “serious” breach of personal data.
Documents about staff were allegedly taken from a locked file within a manager’s locked office in Moray.
Local MP Douglas Ross said he was contacted by a whistleblower.
It was claimed the notes were read by members of staff and then discarded into a cardboard box in a store room.
The box was said to have been taken to the SAS base in Forres and “left unsecured in a garage”.
Ross, also leader of the Scottish Conservatives, said: “This appears to be a serious breach of General Data Protection Regulation (GDPR) rules on the safe storage of sensitive and confidential material.
“It’s very concerning to me that this has happened within what should be secure areas of SAS premises in Moray.”
He said it was “worrying” that documents had been “passed around for some time”.
SAS chief executive Pauline Howie has written to Ross, confirming that the service was alerted last month.
A spokesman for the service said: “Our information governance team were alerted to an incident involving personal information of staff which was discovered on secure ambulance service premises.
“There’s no evidence that these files have been accessed by anyone outwith the ambulance service and the files have since been removed to a secure location.
“A detailed investigation is ongoing and in line with legislative requirements. SAS has also notified the information commissioner’s office who are reviewing the incident.
“SAS has informed the employees whose information is involved, have apologised and are providing ongoing support.
“We will be reviewing all learnings from this full investigation and will implement any actions identified.”