NHS Tayside logged more than 1,200 data breaches in five years as the health board comes under fire again for poor handling of patient records, The Courier can reveal.
The full number follows a series of high profile leaks which angered patients and staff.
Former patient Alan Ogilvie, who obtained the new figures through Freedom of Information (FOI) requests, said it is “one symptom of a deeper failure”.
He said: “The lack of accountability utterly erodes any shred of trust patients could have.
“How can patients ever trust NHS Tayside with their most sensitive information?”
Mr Ogilvie was among 132 victims of disgraced ex-Dundee doctor Sam Eljamel who received an apology in January after their personal details were leaked.
Multiple breaches
Last year, The Courier detailed seven separate data breaches which spanned a two-year period.
In August 2023, a Microsoft Excel spreadsheet containing sensitive information about NHS Tayside staff was shared in error with another team.
Just weeks later paperwork for hundreds of patients were missing.
Perthshire woman Amanda Flood has now been victim to three data breaches.
On two occasions a health board employee snooped on her personal files, while last October she received a letter saying her details had mistakenly been sent to a patient.
In February 2024, NHS workers lost documents with personal details about primary-one pupils in Broughty Ferry.
And in December last year Tayside chiefs launched an internal review after the data of 125 patients was released by mistake.
What do the annual figures show?
The new details show 381 errors were flagged internally in 2023-24, by far the highest total across an eight-year period.
There were 272 breaches in 2022-23, after 246 were logged in 2021-22.
Between 2019 and 2024, 33 of these were deemed serious enough to be sent on to Scotland’s Information Commissioner.
The figures also show 13% of staff currently working at the heart board are yet to complete mandatory training for handling data.
Meanwhile, NHS Tayside said 14,165 staff were up to date with data courses as of March this year – which leaves 1,800 staff lagging behind.
In June 2019, 69% of staff were compliant with the compulsory data training.
NHS Tayside notes new data protection laws – GDPR – came into force in May 2018, and says this “will have impacted on the reporting and compliance figures”.
Mr Ogilvie’s Freedom of Information request found the total number of data breaches since 2016.
The Eljamel patient previously won a complaint against NHS Tayside after waiting more than four months when he asked for the health board to hand over his personal data.
“It’s frankly astonishing that a former patient like myself has had to make formal complaints and conduct a detailed FOI investigation,” he said.
“This is a stark revelation of systemic ignorance and a profound failure of governance.”
‘Taken seriously’
An NHS Tayside spokesperson said information security is taken very seriously.
“All staff are required to undertake mandatory training in safe information handling and NHS Tayside has a suite of information governance policies for staff to follow, including a data protection policy,” the spokesperson said.
“Currently the majority, 87%, of NHS Tayside staff have completed the safe information handling training.
“All NHS Tayside staff are actively encouraged to report data breaches, no matter how small, through the Datix incident reporting system.
“All breaches of data protection are recorded and investigated within NHS Tayside and, where appropriate, are reported to the Information Commissioner’s Office.
“A learning review is ongoing to evaluate systems and processes currently in place and identify actions to further improve data security across NHS Tayside.”
Conversation