Breach cyber

NHS Lothian

Jan 12, 2026 2 min read
NHS Lothian

A data breach at NHS Lothian was uncovered during a routine audit, revealing that an unauthorized individual later identified as a female employee had inappropriately accessed the private medical records of approximately 100 patients. The breach was detected in September 2023, prompting an immediate internal investigation. Affected patients were notified, and the incident was escalated to Police Scotland and the Information Commissioner’s Office (ICO). Authorities confirmed that a woman had been charged in connection with the breach, with the case referred to the procurator fiscal for prosecution. The breach involved sensitive patient data, including confidential medical histories, which were accessed without legitimate cause. While the exact motive remains undisclosed, the incident highlights vulnerabilities in internal access controls within the healthcare system. NHS Lothian emphasized that no evidence suggested wider exploitation (e.g., ransomware or external hacking), but the unauthorized access alone constitutes a serious violation of patient privacy and trust. The health board assured that corrective measures were implemented, though specifics were not detailed to avoid compromising the ongoing legal process.

Source: https://www.aol.com/articles/woman-charged-patient-records-accessed-110844971.html

TPRM report: https://www.rankiteo.com/company/nhs-lothian

"id": "nhs1732417110125",
"linkid": "nhs-lothian",
"type": "Breach",
"date": "9/2023",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': '100 (Approximate)',
                        'industry': 'Healthcare',
                        'location': 'Edinburgh, Scotland, UK',
                        'name': 'NHS Lothian',
                        'type': 'Healthcare Provider'}],
 'attack_vector': 'Insider Threat (Inappropriate Access by Staff)',
 'customer_advisories': 'Affected patients were directly contacted by NHS '
                        'Lothian.',
 'data_breach': {'number_of_records_exposed': '100 (Approximate)',
                 'personally_identifiable_information': True,
                 'sensitivity_of_data': 'High (Private Medical Information)',
                 'type_of_data_compromised': 'Medical Records (Patient Data)'},
 'date_detected': '2024-08-01T00:00:00Z',
 'date_publicly_disclosed': '2024-09-16T00:00:00Z',
 'description': 'A woman has been charged after patients had their private '
                'medical records inappropriately accessed during an NHS '
                'Lothian data breach. Reports suggest about 100 people could '
                'have had their records accessed. The breach was discovered '
                'during a routine audit last month. Affected patients were '
                'contacted, and the incident was reported to Police Scotland '
                "and the Information Commissioner's Office (ICO).",
 'impact': {'brand_reputation_impact': 'Moderate (Public Disclosure of Breach)',
            'data_compromised': True,
            'identity_theft_risk': 'Low (Medical Records Accessed, but No '
                                   'Evidence of Theft)',
            'legal_liabilities': 'Potential (ICO Investigation, Police '
                                 'Involvement)',
            'operational_impact': 'Minimal (Investigation Ongoing)'},
 'investigation_status': 'Ongoing (Police and ICO Involved)',
 'motivation': 'Unknown (Potentially Unauthorized Curiosity or Malicious '
               'Intent)',
 'references': [{'date_accessed': '2024-09-16',
                 'source': 'BBC News / Police Scotland Statement'}],
 'regulatory_compliance': {'legal_actions': ['Police Scotland Investigation',
                                             'Report to Procurator Fiscal '
                                             '(Scotland)',
                                             'ICO Notification (Potential '
                                             'Enforcement Action)'],
                           'regulations_violated': ['UK GDPR (General Data '
                                                    'Protection Regulation)',
                                                    'Data Protection Act 2018 '
                                                    '(UK)'],
                           'regulatory_notifications': ['Information '
                                                        "Commissioner's Office "
                                                        '(ICO)',
                                                        'Police Scotland']},
 'response': {'communication_strategy': ['Public Statement by NHS Lothian '
                                         'Medical Director',
                                         'Direct Notification to Affected '
                                         'Patients'],
              'containment_measures': ['Immediate Investigation Launched',
                                       'Access Revoked (Implied)'],
              'enhanced_monitoring': 'Routine Monitoring (Ongoing)',
              'incident_response_plan_activated': True,
              'law_enforcement_notified': True,
              'recovery_measures': ['Patients Notified',
                                    'Reported to Regulatory Authorities (ICO, '
                                    'Police Scotland)']},
 'threat_actor': {'type': 'Insider (Employee/Misuse of Access)'},
 'title': 'NHS Lothian Patient Data Breach',
 'type': 'Data Breach (Unauthorized Access)'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.