Key Takeaways

- A staff member transferred a spreadsheet with 150 maternity patients' data to their personal email account
- Exposed data includes full names, dates of birth, NHS numbers, and pregnancy treatment information
- The ICO and Police Scotland have been notified; no evidence yet of wider data sharing
NHS Forth Valley is investigating after a staff member transferred a spreadsheet containing personal data of approximately 150 maternity patients to their own personal email account. The health board, which serves the region between Edinburgh and Glasgow, has contacted affected women and notified both the Information Commissioner's Office and Police Scotland.
The exposed data includes full names, dates of birth, NHS numbers, pregnancy treatment information, and the total number of children each patient has. According to NHS Forth Valley, the transfer was done for "analytical purposes" by a fully qualified, non-clinical staff member.
What data was exposed and how did it happen?
The incident came to light when NHS Forth Valley discovered that an employee had sent a data extract from the Trust's maternity system to a personal email address. The spreadsheet contained identifiable information for around 150 women who had accessed local maternity services.
“An internal investigation is underway after a member of staff transferred a spreadsheet containing an extract of data from our maternity system to their personal email address.”
— NHS Forth Valley spokesperson
The Trust says the staff member has since deleted the data and there is "no evidence that the information has been shared any wider at this stage." But for affected patients, that assurance offers limited comfort. One new mother told the Falkirk Herald she was experiencing anxiety knowing her details had left NHS systems.
Why do NHS email breaches keep happening?
This is not an isolated incident. The NHS has a documented pattern of email-related data breaches, many stemming from basic failures in protocol rather than sophisticated attacks.
Chelsea and Westminster NHS Trust and NHS Highland both exposed HIV patients' data by using the CC field instead of BCC when sending bulk communications. Cambridge University Hospitals NHS Foundation Trust was found exposing extraneous data in spreadsheets sent as part of Freedom of Information responses between 2020 and 2021.
Perhaps most ironic: NHS Digital itself exposed hundreds of email addresses via a failed BCC attempt when inviting attendees to a cybersecurity event. Four separate emails. Same mistake each time.
The common thread is human error, not technical failure. Staff taking shortcuts. Controls that exist on paper but not in practice. Training that does not translate to behavior.
What are the regulatory consequences?
The ICO has authority to fine organizations up to £17.5 million or 4% of annual global turnover for serious GDPR violations. In practice, NHS trusts have received reprimands and enforcement notices rather than headline-grabbing fines. NHS Highland was reprimanded for its BCC blunder involving HIV patients.
The question for CIOs is whether a reprimand changes behavior. Based on the frequency of these incidents, the answer appears to be no. The ICO's enforcement toolkit seems insufficient to shift the culture around data handling in public healthcare.
According to ICO annual reports, approximately 67% of UK healthcare data breaches are attributed to insider incidents, whether accidental or malicious. This statistic suggests technical controls alone will not solve the problem. The breach vector is people, not systems.
What should IT leaders take from this?
The NHS Forth Valley incident highlights a gap that exists across many organizations: the distance between policy and practice. Most enterprises have data handling policies. Fewer have controls that actually prevent staff from exfiltrating data to personal accounts.
Data Loss Prevention tools exist precisely for this scenario. Email security gateways can flag or block attachments containing structured data like NHS numbers or dates of birth being sent to non-corporate domains. The technology is mature. The question is deployment and configuration.
For healthcare organizations specifically, the sensitivity of the data raises the stakes. Maternity records contain some of the most personal information imaginable. A spreadsheet with pregnancy treatment details, number of children, and NHS identifiers is not just a compliance problem. It is a betrayal of trust that affects people at a vulnerable moment.
Logicity's Take
The pattern here is clear: NHS trusts keep failing at basic email hygiene because there are no meaningful consequences for failing. Reprimands do not change procurement decisions or leadership incentives. For CIOs in any sector, the lesson is to assume your staff will make these mistakes and build controls that make the mistake technically impossible. DLP solutions from vendors like Microsoft Purview, Symantec, or Forcepoint can enforce policies at the email gateway level. The investment is modest compared to the reputational cost of reading your organization's name in a data breach headline.
Frequently Asked Questions
What data was exposed in the NHS Forth Valley breach?
The spreadsheet contained full names, dates of birth, NHS numbers, pregnancy treatment information, and total number of children for approximately 150 maternity patients.
Has the exposed data been shared more widely?
NHS Forth Valley says there is currently no evidence the data was shared beyond the staff member's personal email. The employee claims to have deleted the data.
What penalties can the ICO impose for NHS data breaches?
The ICO can fine organizations up to £17.5 million or 4% of annual global turnover for serious GDPR violations. NHS trusts have typically received reprimands rather than large fines.
Why do NHS email data breaches keep happening?
Most incidents stem from human error rather than technical attacks. Staff take shortcuts, and existing controls are often policy-based rather than technically enforced.
Related reading on evolving enterprise security challenges
Need Help Implementing This?
If you're reviewing your organization's data loss prevention strategy or need help configuring email security controls, contact the Logicity team for vendor-neutral guidance on protecting sensitive data.
Source: www.theregister.com
Manaal Khan
Tech & Innovation Writer
Produced with AI assistance and reviewed by the Logicity editorial team. Learn more in our Editorial Policy.






