Police investigation launched after breach of more than 150 NHS Lothian staff members' medical records

An investigation has been launched by Police Scotland after the medical records of more than 150 NHS Lothian staff members were “inappropriately accessed” by a colleague.
The Edinburgh Royal Infirmary, within NHS Lothian. The location of affected staff members is not known.The Edinburgh Royal Infirmary, within NHS Lothian. The location of affected staff members is not known.
The Edinburgh Royal Infirmary, within NHS Lothian. The location of affected staff members is not known.

Affected staff members were informed of the data breach by letters sent out earlier this month.

The breach was detected when NHS Lothian’s routine monitoring system picked up unusual activity showing that one staff member had viewed the medical records of other staff members outside of normal duties.

Hide Ad
Hide Ad

Information in the letter was dated from both January and February, but the health board was unable to confirm the time period in which the data breach took place over fears this could identify the individuals involved.

The incident is understood to have affected more than 150 NHS Lothian staff members, all of whom have been contacted to let them know.

Data which may have been accessed includes the dates of any appointments staff members attended as patients, waiting lists they were on, and the date and location of any inpatient admissions and discharges.

It also includes details about the medical conditions of staff members and the contents of any letters sent to them or about them by their GP.

The staff member who accessed the material was interviewed by NHS Lothian before the matter being passed to the police, the health board said.

Read More
Coronavirus in Scotland: Alcohol sales drop during pandemic but concerns over in...

Dr Tracey Gillies, Medical Director for NHS Lothian, apologised to affected staff in the letter sent out.

"I am very sorry to inform you that, during a routine monthly audit of staff access to computerised records we identified a member of staff viewed your patient record when it was potentially not part of their normal duties,” she said.

"We have a duty to inform you of this and assure you that we regard this very seriously. The member of staff was being dealt with through the appropriate disciplinary procedure in NHS Lothian. Due to the seriousness with which we view any breach of patient confidentiality, this matter has also been reported to the Police, the Information Commissioner’s Office and the staff members regulatory body.”

Hide Ad
Hide Ad

Staff members have not been told the identify of the colleague who accessed their records, as the matter has been handed to Police Scotland.

Commenting on the incident, Dr Gillies said: “NHS Lothian has become aware that a member of staff may have inappropriately accessed staff records. We swiftly started an enquiry into this matter and as part of this investigation we are contacting anyone whose records have been accessed.

“NHS Lothian takes incidents like this extremely seriously and we have written to offer our sincere apologies to those affected. The breach was picked up by our Fair Warning system, which is an e-health monitoring system. Our robust monitoring identified this activity and it was reported to Police Scotland as soon as we became aware of the breach.

“We will continue to work closely with Police Scotland and the Scottish Information Commissioner to resolve this matter. As this is now a police matter, we are unable to offer any further comment.”

A message from the Editor:

Thank you for reading this article. We're more reliant on your support than ever as the shift in consumer habits brought about by coronavirus impacts our advertisers.

If you haven't already, please consider supporting our trusted, fact-checked journalism by taking out a digital subscription.



Want to join the conversation? Please or to comment on this article.