More than 5,000 data breaches have hit NHS Scotland’s health boards since January 2023, a Freedom of Information (FOI) investigation by The Ferret has found. At least 182 staff have been disciplined over the incidents. Six were serious enough to be referred to Police Scotland.
The tally runs from stray emails sent to the wrong recipient to a ransomware crew dumping stolen files on the dark web. And the board reprimanded hardest for a WhatsApp leak back in 2023 is now logging more breaches than nearly any other, disciplinary record included.
Lanarkshire’s WhatsApp Reprimand Didn’t Stop the Repeat
NHS Lanarkshire has logged 1,138 data breaches since January 2023, the second-highest total of any Scottish health board. A total of 171 staff faced disciplinary action. Not one was dismissed.
The board has been here before. In 2023, the Information Commissioner’s Office (ICO) formally reprimanded NHS Lanarkshire after staff shared confidential patient information inside an unauthorised WhatsApp group more than 500 times between 2020 and 2022. Computer Weekly reported that regulators let the trust avoid a fine over the WhatsApp sharing, opting for a public reprimand instead.
Three years on, the same board accounts for close to a quarter of the national total.
The Board-by-Board Breakdown
Here is how the clearest disclosed totals break down across five of Scotland’s 14 territorial health boards.
| Health Board | Breaches Since Jan 2023 | Notable Detail |
|---|---|---|
| NHS Greater Glasgow and Clyde | 1,335 | Highest total of any board |
| NHS Lanarkshire | 1,138 | 171 staff disciplined, zero dismissals |
| NHS Dumfries and Galloway | 607 | Cited FOI cost limits to avoid a full case review |
| NHS Borders | 525 | Third-highest total disclosed |
| NHS Lothian | 14 | Six dismissals, six cases sent to Police Scotland |
NHS Dumfries and Galloway said reviewing each of its 607 disclosed incidents individually, to confirm which legally counted as a breach, would exceed the cost ceiling set under freedom of information law. Other boards gave partial responses. The real national count is almost certainly higher than 5,000.
It fits a wider pattern. Scotland’s intensifying fight over freedom of information rules has grown louder as public bodies increasingly lean on cost-limit exemptions to withhold detail from requesters.
Lothian Logged Fewest Breaches, Harshest Fallout
NHS Lothian reported just 14 data breaches under the FOI request, fewer than any other board named in the investigation. Its response to what it did find was the harshest of any board.
NHS Lothian dismissed six staff members. It referred six separate cases to Police Scotland, more police referrals than any other board disclosed.
The board has previously investigated a run of serious incidents, including:
- Unauthorised access to cancer patients’ medical records
- Unauthorised viewing of more than 150 colleagues’ health records by staff who had no clinical reason to see them
- Six staff dismissals tied to breach investigations
- Six separate cases referred directly to Police Scotland
Fewer logged incidents, in other words, did not mean a lighter touch once one was confirmed.
Why Are Boards Reprimanded Instead of Fined?
The ICO can fine organisations under UK data protection law, but it has leaned on public reprimands for NHS boards instead. Its stated reasoning: fining a public body ultimately means drawing on the same public money that pays for patient care, since health boards are funded by the taxpayer.
An ICO spokesperson told The Ferret that patient data “must be handled carefully and securely” and that people using health services “need to trust that their data is in safe hands.” The regulator said it expects boards to keep clear staff training and strong accountability cultures in place, adding: “Where organisations do not comply with the law, we will take action.”
That restraint is deliberate. Legal analysts at Pinsent Masons have tracked the regulator’s reluctance to fine NHS bodies, noting the ICO’s own position that penalties on public bodies ultimately land on the same taxpayers the fines are meant to protect. Critics say that leaves boards with reprimands, not fines, as the only real consequence on paper.
One cyber security expert put it more bluntly.
This is all indicative of a wider malaise at executive levels as far as data privacy and cyber security are concerned.
Saif Abed, founding partner at the AbedGraham Group cyber security consultancy, made the comment to Digital Health News, which first published his assessment of the FOI findings. Abed also said the NHS “lacks transparency with the public when it comes to the scale of data breaches,” arguing it takes a series of FOI requests to unmask a problem of this size.
Inside NHS Dumfries and Galloway’s Ransomware Standoff
NHS Dumfries and Galloway’s breach count includes more than paperwork gone astray. In 2024, the board was hit by a ransomware attack that exposed significant volumes of patient and staff data.
The extortion group INC Ransom claimed responsibility and threatened to leak 3TB of stolen files unless it was paid. No payment materialised, and the group later dumped the data on the dark web.
NHS Dumfries and Galloway has kept a public update page on the cyberattack, including advice for patients and staff whose information may have been caught up in it.
A separate, third-party cyber security incident later exposed NHS staff phone numbers across multiple Scottish health boards. It was unrelated to the ransomware attack, but it landed in the same stretch of years now under scrutiny.
Ministers Point to Guidance, Not Sanctions
A Scottish government spokesperson said the “privacy of patients and service staff is paramount” and that boards and delivery partners are expected to “protect and respect individuals’ information and rights at all times.”
The spokesperson pointed to support rather than sanctions, citing “ever-increasing cyber and information threats faced across health and care” and describing government work with boards to make sure they get the guidance needed to respond when a reportable incident happens.
The breach tally lands on top of other pressure points for the service. NHS Scotland is already carrying a £440 million annual delayed discharge bill, and information governance now sits alongside waiting times and finances on the list of fronts boards have to manage at once.
The pattern is not confined to these 14 boards either. A separate investigation found NHS Highland alone logged more than 1,600 breaches over five years, reported outside The Ferret’s own figures.
So far, the only sanction made public against any of the 14 boards is the 2023 reprimand over the Lanarkshire WhatsApp group, not a fine.
Frequently Asked Questions
Which NHS Scotland Board Had the Most Data Breaches?
NHS Greater Glasgow and Clyde recorded the highest total, with 1,335 breaches since January 2023. It is Scotland’s largest health board by population served, which partly explains a higher raw count than smaller boards such as NHS Borders or NHS Lothian.
What Is the Difference Between an ICO Reprimand and a Fine?
A reprimand is a formal public finding of fault with no financial penalty attached. A fine under UK data protection law can run into the millions of pounds. The ICO has stated it avoids fining public bodies like NHS boards because the cost would ultimately be absorbed by the same public purse that funds patient care.
What Happened in the NHS Lanarkshire WhatsApp Breach?
Twenty-six NHS Lanarkshire staff shared patient names, phone numbers, addresses and clinical details in an unauthorised WhatsApp group more than 500 times between April 2020 and April 2022. The ICO issued its formal reprimand in 2023 once the sharing came to light.
How Does NHS Scotland Discipline Staff Over Data Breaches?
Outcomes range from early, informal resolution up to dismissal, depending on the board and the severity of the access involved. NHS Lanarkshire disciplined 171 staff without dismissing any of them, while NHS Lothian dismissed six staff and sent six separate cases to Police Scotland.
Can Patients Find Out Who Accessed Their NHS Records?
Patients can ask a health board’s information governance team for details of who has accessed their record through a subject access request under UK data protection law. Anyone who suspects unauthorised access to their file can also raise it directly with the ICO if the board’s own response is unsatisfactory.
Craig Gordon Retires at 43 as Scotland’s Oldest World Cup Player
Scotland Fans Fill Glasgow Pubs to Cheer Argentina’s Win Over England
11 Scotland Towns Where Main Streets Are Winning the Long Game
Ferguson Marine Loses Skilled Trades While Ministers Stall On Ship Deal
Scotland U20s Drop Six Nations Regular MacArthur for Wales Final
Scotland’s First Dual Recovery Court Cuts Drug Deaths by Up to 17%