NHS Ayrshire and Arran said it is aware of a data protection breach where the staff member “accessed some electronic patient records inappropriately”.
The health board confirmed that the staff member’s access to all its electronic systems was removed as soon as the data breach was identified, and added that the staff member in question “no longer works for NHS Ayrshire & Arran”.
It said that, upon discovering the data breach, it immediately notified the Information Commissioner’s Office (ICO), the Scottish Government, and Police Scotland.
The health board has sought to reassure patients that the data breach had not impacted the delivery of patient care.
READ MORE:
Data breaches expose private details of 270 NHS staff and patients
Council investigation of possible data breach raises deeper questions
NHS Fife data breaches revealed following confidentiality claim in Sandie Peggie case
In a statement, Dr Crawford McGuffie, Medical Director and Caldicott Guardian at NHS Ayrshire and Arran, said: “NHS Ayrshire & Arran is aware of a data protection breach where a member of staff accessed some electronic patient records inappropriately. We have taken all necessary appropriate action and have contacted patients affected.
“As soon as the data breach was identified, the staff member’s access to all NHS Ayrshire & Arran’s electronic systems was removed. We can confirm the member of staff no longer works for NHS Ayrshire & Arran.
“The incident has been managed in line with our data protection requirements and NHS Ayrshire & Arran policies. We have notified the Information Commissioners Office (ICO) and Scottish Government on becoming aware of the data breach. We have also notified Police Scotland.
“We would like to reassure patients that the data breach has had no impact on patient care. No information was removed from our electronic systems and patient information remains secure within our systems. This incident did not involve a cyber-attack.
“NHS Ayrshire & Arran takes incidents of this nature extremely seriously. We fully recognise the concern and distress that this may cause and would like to offer our sincere apologies to all those affected.”
The Herald has contacted Police Scotland for comment.
Police Scotland have been notified of the data breach (Image: PA)
In May of 2021, a radiographer at Crosshouse Hospital who accessed the records of more than 200 female patients and pestered them for dates was struck off.
Andrew Stewart, 35, used his position at hospitals in Lanarkshire and Ayrshire to look up the files of women. He used fake names to contact the patients he had been treating before hounding them with a string of messages on Facebook and WhatsApp in an attempt to instigate relationships with them.
The married father-of-one hid behind false profiles including Andy Smith and Jamie Scott to chat up women – calling them ‘hot’, ‘gorgeous’ and even complimenting one on her breasts. He also sent photos of himself and in one message told a woman he was mature “when it comes to pleasing women in bed”.
Stewart, of Fenwick, Ayrshire, denied getting sexual gratification from contacting the women and claimed he was “lonely” because he was working in the dark.
But he admitted obtaining personal data of 32 named women and others without a clinical or medical reason to do so at Hamilton Sheriff Court.
He also pled guilty to a further 16 charges of acting in a threatening and abusive manner to women he had contacted between March 2013 and August 2018.
READ MORE:
Council investigation of possible data breach raises deeper questions
NHS board cancels operations after ‘unknown substance’ found on tools
Physio struck off register after accessing patient’s personal data to visit her home
Stewart was sentenced to 200 hours of unpaid work and three years of supervision last August. He was also fined £600 and placed on the sex offenders’ register for three years.
He was then hauled before the Health and Care Professional Tribunal Service (HCPTS) who ruled he had to be banned from the profession.
In October last year, it was revealed that the private details of almost 300 NHS Highland staff and patients were exposed due to data breaches over an almost 18-month period.
Figures obtained through a freedom of information request (FOI) revealed 272 people were impacted in seven serious data breaches at the health board in 2024 and 2025.
All seven breach incidents – involving “accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data” – were reported to the Information Commissioner’s Office (ICO).
Two breaches were a result of technical errors while four were incidents of human error and one was as a result of a cyber attack on a supplier to NHS Highland.
The health board conducted a review into each incident and carried out what it called “mitigations” including staff training in an attempt to prevent future breaches.