EXCLUSIVE: NHS Tayside data breach probe after 125 patient records released in error
by Dale Haslam · The CourierNHS Tayside has launched an internal review after it mistakenly released the medical records of 125 patients.
The blunder happened after a Freedom of Information (FOI) request by The Courier regarding the number of people treated for animal-related injuries in recent months.
Rather than revealing how many hospital admissions there were, NHS Tayside sent us a spreadsheet which included the home addresses, birthdates and health conditions of 125 people – making it possible to identify named individuals within seconds.
One of the patients affected, who asked not to be named, told us: “I’m horrified. How on earth can this happen?”
The health board has apologised and launched an internal review to improve its data security.
It has also referred itself to the information regulator, which is “assessing” the data NHS Tayside provided.
Health chiefs plan to contact those whose names appear on the spreadsheet to apologise and explain how the error happened.
‘I’m shocked’
The Courier was able to raise the alarm before NHS Tayside published the confidential data on its website, as it usually does in response to FOI requests.
The patient, a woman who lives in a rural part of Tayside, added: “I’m shocked.
“The fact that someone has released the precise details of my hospital admission is very worrying.
“My first reaction is to be horrified. My second reaction is that it is just a really bad case of human error.
“I really hope that someone from NHS Tayside contacts me – and everyone else affected – immediately. It’s a lot to process.”
The spreadsheet, to which The Courier has since relinquished access, revealed dozens of fields of information about each patient’s medical treatment.
But our reporter was shocked to see ages, dates of birth and unique patient numbers.
Neighbouring boards, such as NHS Highland, provided general, anonymised numerical data explaining how many incidents there were.
Another local impacted by the data breach said: “This is simply infuriating.”
Health board apology
An NHS Tayside spokesperson said: “A spreadsheet was sent to a journalist in error on December 9 2024 as part of a freedom-of-information response.
“The document contained personal details of people who had been treated for injury caused by animals between April 2023 and September 2024.
“We have written directly to those affected to inform them of this error and to sincerely apologise.
“We have explained to the patients involved how this happened.
“However, we know that those impacted by this will have concerns about their data being mistakenly shared in this way and we are very sorry for this.
“We would like to reassure all those affected that we have taken a number of immediate steps to prevent this happening again.
“The breach has also been reported by NHS Tayside to the Information Commissioner’s Office (ICO) and also recorded on our DATIX incident reporting system.
“In addition, the chief executive has commissioned a learning review to evaluate systems and processes currently in place and identify actions to improve data security across NHS Tayside.”
Latest NHS Tayside data gaffe
The error is the latest in a series of data breaches committed by NHS Tayside in the last two years.
North-east MSP Maurice Golden said: “It is utterly shocking that this has happened.
“Human error is one thing, but this has now happened so often that you wonder if there are systematic problems.
“This should be discussed at the next NHS Tayside board meeting and there should be a root-and-branch review of data collection, storage and distribution.”
He added: “Clearly, The Courier has handled the situation in an admirable way by raising the matter with NHS Tayside at the first opportunity to ensure the board didn’t publish it on its website.
“Had this data gone to a private individual or a less-scrupulous source, it could have found its way onto the internet or social media and then it would be out of control.
“My concern is that this spreadsheet was not password protected.
“I feel for the people whose information was released and I hope this does not lead to people having second thoughts about seeking treatment in case their details are made public.”