Skip to main content
CybersecurityHealthcare

NHS Targets Unauthorized Data Access with New Staff Guidance

Hospital corridor with staff, natural light, and blurred laptop screen.

"Inappropriate access of medical records was 'wholly unacceptable, a disgraceful breach of patient trust and against the law,'" Head of the NHS Jim Mackey warned as the service rolled out a staff awareness campaign and new guidance aimed at preventing unauthorized peeks into patient files.

Jim Mackey and the NHS awareness campaign

The NHS has launched a campaign aimed at staff that bluntly urges them "not to let curiosity kill your career." The initiative accompanies new guidance for healthcare organizations that explains how to prevent, monitor and report unauthorized access to patient data. The guidance is intended both to raise awareness among front-line employees and to set expectations for organizational practices.

Recent unlawful-access incidents that prompted action

The campaign follows several high-profile cases in which NHS employees viewed patient records without a legitimate reason. In May, 11 staff were dismissed and 14 given written warnings after unlawfully accessing the records of victims of the 2023 Nottingham knife attacks. A month later, a Cambridgeshire hospital opened an investigation after around 40 staff accessed the records of a seriously injured child without good reason. Separately, the Information Commissioner’s Office (ICO) issued a former healthcare worker a formal caution last month after they attempted to access and sell the medical records of the Princess of Wales; that incident took place at a private hospital in London.

NHS guidance: monitoring, audits, and technical controls

The NHS guidance describes different types of unlawful access, clarifies reporting procedures, and sets out technical and procedural measures organizations should adopt. It states that when unlawful access is identified, staff will be reported to the ICO and the police for potential criminal prosecution and that individuals risk ending their careers in healthcare. The guidance recommends regular audits and monitoring, noting that newer electronic patient record systems can flag incidents in real time.

IT teams are explicitly urged to put in place technical controls to prevent unauthorized access in the first place. The guidance lists enforceable measures including least-privilege policies, multi-factor authentication (MFA) and role-based access controls as primary defenses against insider misuse.

ICO CEO Paul Arnold on responsibility and consequences

ICO CEO Paul Arnold framed medical records as among the most sensitive personal data and drew a clear line between access capability and legitimate need. "Having the ability to view a record is not the same as having a legitimate need to do so," he said. "Every member of staff has a personal responsibility to respect that boundary, and every patient has a right to expect that they will. Staff who breach that trust face serious consequences: loss of employment, removal of professional accreditation and criminal prosecution."

Graeme Stewart (Check Point) on insider risk as part of a broader security posture

Graeme Stewart, head of public sector at Check Point, welcomed the campaign as a reminder of insider risk and urged organizations to apply the same security principles internally that are used against external threats. "The NHS has spent the last few years focused heavily on external threats such as ransomware, supply-chain attacks like the one that hit Synnovis, and nation-state activity, and rightly so. But this shows the same principles of zero trust and least-privilege access need to be applied internally as well as externally," he said.

Stewart also noted that the risk is compounded as the NHS progresses with wider electronic patient record rollouts and initiatives such as the Federated Data Platform, which are designed to make patient data more shareable across trusts.

What this means for IT teams, the ICO, and patients

  • IT teams: Will be expected to implement the technical controls called out in the guidance — least-privilege, MFA and role-based access — and to enable monitoring and audit capabilities within electronic patient record systems so that unauthorized views can be detected in real time.
  • The ICO and police: Will receive reports of unlawful access for potential criminal investigation and enforcement, consistent with the guidance's direction that incidents be escalated to regulatory and law-enforcement bodies.
  • Patients: Are being assured by senior officials that their records should be protected and that those who breach access boundaries face career-ending and legal consequences, reinforcing the expectation of privacy in medical records.

The NHS campaign and associated guidance set a clear administrative, technical and enforcement pathway: reduce opportunity through controls, detect misuse through monitoring and audits, and escalate incidents to regulators and police for potential prosecution. As the NHS increases data sharing capabilities across trusts through initiatives like the Federated Data Platform, the guidance signals a sharpened focus on the insider vector — and a willingness to apply disciplinary and legal remedies when lines are crossed.

Original story