MSP reveals one patient had data breached twice by NHS Highland

Highlands and Islands MSP, David Stewart, has been told that one patient has found his confidential data breached twice by NHS Highland after the latest incident was made public yesterday.

Mr Stewart, who is Labour’s Shadow Public Health Minister, said the patient found his data breached last year when the email addresses of almost 40 people living with HIV were accidentally published by the health authority to others with the illness.

The man, who is also diabetic, has now discovered his data was circulated for a second time in the latest incident when NHS Highland apologised for sharing an excel spreadsheet containing confidential information with other patients.

“Quite honestly I could not believe it when the constituent contacted me to tell me he had his information shared again,” said Mr Stewart.

“He is absolutely devastated by the second breach as it shows lessons have not been learnt from last year and I can clearly understand why he feels so let down.”

Mr Stewart explained that the patient had initially contacted him last year following the first breach and the MSP had kept in contact as there were a number of problems thrown up by this case.

The patient, who does not want to be identified, told Mr Stewart: “When I contacted you last year, I was a newly diagnosed HIV patient and, as a direct result of the last breach, my care had to be transferred to NHS Glasgow. I will be looking for Jeane Freeman to launch an inquiry.”

Mr Stewart has already written to NHS Highland’s Chief Executive, Pam Dudek, and is now writing to Health Secretary, Jeane Freeman, highlighting the latest incident and the fact that a patient has suffered a data breach on two occasions. The MSP is calling for her to ensure proper protections, staff training and systems are in place to prevent such incidents happening again.

“Data and confidential information of national health service patients must be treated in the strictest confidence by those handling it,” said Mr Stewart.

“I am aware that there is tremendous pressure on front-line staff, not only on nurses and clinical staff, but on administration staff, due to the pandemic.

“However, this is serious and the second time in 17months that an NHS Highland data breach has been raised with me.”

  • Last year Mr Stewart raised the first data breach in the Scottish Parliament with First Minister Nicola Sturgeon. The MSP said then: “Whilst I welcome the apology by the board, does the First Minister share my view that confidentiality is a core principle of the NHS and the decision to disclose HIV status is a matter for individuals themselves and theirs alone.” Nicola Sturgeon agreed very strongly saying that the safety of patient data was of “the utmost importance”.
  • She added that the breach was reported to Information Commissioner within 24 hours. NHS Highland had taken steps to apologise to patients, respond directly to any concerns and a formal internal review was being carried out. The First Minister admitted that “clearly there have been failings”.
  • Afterwards Mr Stewart added that he had written to NHS Highland’s Chief Executive, Iain Stewart, to ask that he be kept informed of the outcome of the internal review and the findings of the Information Commissioner.
  • “Keeping patients’ data confidential is essential for everyone and I hope lessons can be learned as a result of this breach,” said the MSP. “HIV is a very sensitive subject for those with the virus and I am told this breach has caused some distress.”