Nearly 300 NHS Highland staff and patients have been affected by serious data breaches over the past 18 months, raising renewed concerns over the health board’s handling of personal information.
According to figures obtained through a Freedom of Information (FOI) request, seven major data breaches occurred within the last two years, impacting 272 individuals. Each incident was reported to the Information Commissioner’s Office (ICO) after the unauthorised disclosure, loss, or access to personal data.
Four breaches took place in 2024, and three more were recorded in 2025, including one as recent as last month. Two were caused by technical faults, four by human error, and one linked to a cyber attack targeting an NHS Highland supplier.
Following each incident, the health board carried out internal reviews and introduced new safety measures, including staff training, to prevent similar breaches in future.
A spokesperson for NHS Highland said the organisation is “committed to safeguarding patient confidentiality” and will “consistently take decisive action” to protect personal data.
However, this is not the first time NHS Highland has faced scrutiny for data mishandling. In 2021, 124 patients’ names and addresses were accidentally shared with others through Covid vaccine letters. In 2022, Thurso resident Peter Todd reported receiving another patient’s medical records, while Highland MSP Emma Roddick (SNP) also experienced a mix-up with her own files.
Roddick said she had “raised [her] own data issues” and understood the distress caused when people “worry about their own information being shared with others”. She urged affected patients to report any breach so the health board can investigate, apologise, and prevent recurrence.
NHS Highland was also reprimanded in 2023 after mistakenly copying 37 people into an email about HIV services, revealing their email addresses to each other.
Last year recorded the second-highest number of annual data breaches by the board in seven years, surpassed only by 2022, which saw six incidents.
Scottish Conservative MSP Edward Mountain criticised the situation, saying: “It is unacceptable that NHS Highland have allowed patient and staff records to get into the wrong hands. There is nothing more private than your medical notes.”
The health board now faces growing pressure to tighten its cybersecurity and data management systems to restore public trust.
