A data breach at NHS Lothian was discovered during a routine audit, revealing that unauthorized individuals had accessed the medical records of an unspecified number of patients. The breach was identified last month, prompting an immediate investigation. While the exact number of affected patients remains undisclosed, the health board confirmed that 'appropriate action' was taken, including notifying impacted patients, reporting the incident to Police Scotland, and informing the Information Commissioner’s Office (ICO). The breach involved the inappropriate access of sensitive patient records, raising concerns over privacy violations and potential misuse of personal health information. Dr. Tracey Gillies, NHS Lothian’s medical director, assured that measures were implemented to address the incident but declined to comment on whether an internal employee was responsible. The breach underscores vulnerabilities in healthcare data security, particularly when insider threats or unauthorized access protocols are exploited. The incident remains under investigation by law enforcement, with potential regulatory repercussions pending the ICO’s review.
Source: https://www.yahoo.com/news/articles/patient-records-accessed-nhs-lothian-183113696.html
TPRM report: https://www.rankiteo.com/company/nhs-lothian
"id": "nhs0302603110125",
"linkid": "nhs-lothian",
"type": "Breach",
"date": "10/2025",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'customers_affected': 'Unspecified (patients notified)',
'industry': 'Healthcare',
'location': 'Edinburgh, Scotland, UK',
'name': 'NHS Lothian',
'type': 'Healthcare Provider'}],
'customer_advisories': 'Direct communication to affected patients',
'data_breach': {'personally_identifiable_information': True,
'sensitivity_of_data': 'High (medical/health data)',
'type_of_data_compromised': ['Medical Records',
'Personally Identifiable '
'Information (PII)',
'Protected Health Information '
'(PHI)']},
'date_detected': '2023-10-01T00:00:00Z',
'date_publicly_disclosed': '2023-11-01T00:00:00Z',
'description': 'The medical records of some NHS Lothian patients were '
'accessed inappropriately during a data breach, discovered '
'through routine monitoring. An investigation was launched, '
'affected patients were notified, and the incident was '
'reported to Police Scotland and the Information '
"Commissioner's Office (ICO). The number of patients affected "
"remains unconfirmed, and NHS Lothian has taken 'appropriate "
"action' without disclosing details about individual staff "
'members involved.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'unauthorized access to sensitive '
'patient data',
'data_compromised': ['Medical Records'],
'identity_theft_risk': 'High (medical records include sensitive '
'PII/PHI)',
'legal_liabilities': "Reported to Information Commissioner's "
'Office (ICO); potential regulatory scrutiny '
'under UK GDPR/DPL'},
'investigation_status': 'Ongoing (as of last disclosure)',
'references': [{'source': 'BBC News / Edinburgh Live (hypothetical, as '
'original source not provided)'}],
'regulatory_compliance': {'regulations_violated': ['UK General Data '
'Protection Regulation '
'(GDPR)',
'Data Protection Act 2018 '
'(DPA)'],
'regulatory_notifications': ['Information '
"Commissioner's Office "
'(ICO)']},
'response': {'communication_strategy': 'Public disclosure; direct patient '
'notification',
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'remediation_measures': ['Investigation launched',
'Patients notified',
'Reported to Police Scotland and ICO']},
'stakeholder_advisories': 'Patients notified; Police Scotland and ICO '
'informed',
'threat_actor': {'type': 'Insider Threat (suspected)'},
'title': 'NHS Lothian Patient Data Breach',
'type': 'Data Breach'}