Skip to main content
Emerging ThreatsData Breaches

NHS Trust Investigates Email Data Breach Involving Maternity Patients

Hospital corridor with computer and papers on a desk in the foreground.

"An internal investigation is underway after a member of staff transferred a spreadsheet containing an extract of data from our maternity system to their personal email address," NHS Forth Valley said.

NHS Forth Valley launches an internal probe

NHS Forth Valley has confirmed it is investigating after a staff member sent personal details for about 150 women who had used local maternity services to a personal email account. The trust told affected women directly and described the transfer as an extract from its maternity system. The staff member has advised the trust that they have deleted the data, and the trust says there is no evidence the information has been shared more widely at this stage.

Scope and type of information exposed

The trust said the spreadsheet's majority of information was unidentifiable, but that it contained “some lines of data relating to a number of women who had accessed local maternity services.” According to NHS Forth Valley, the spreadsheet included full names, dates of birth, NHS numbers, pregnancy treatment information and the patients’ total number of children. The trust described the individual who transferred the file as “a fully qualified, non-clinical staff member, and not a junior,” and said the data transfer was carried out for analytical purposes.

Authorities notified: Police Scotland and the Information Commissioner’s Office

NHS Forth Valley has informed a number of other relevant organisations about the incident, including the UK Information Commissioner and Police Scotland. The trust has also contacted the women whose data were involved. The announcement and notification steps form the immediate official response while the internal investigation continues.

Affected patients: anxiety and immediate reaction

One new mother among the circa 150 women affected told the Fakirk Herald that she was experiencing anxiety that her details were out in the public domain. That reaction was echoed in the trust's own communication, which acknowledged that some lines of the spreadsheet related to identifiable women and said affected individuals had been contacted directly.

How this fits with recent NHS email mishaps

The trust’s statement lands against a backdrop the report describes as an imperfect recent record for email-based data handling across the UK health service. The article cites earlier incidents in which Chelsea and Westminster and NHS Highland failed to protect HIV patients’ data by bulk-sending responses with recipients in the CC field rather than BCC. It also notes that Cambridge University Hospitals NHS Foundation Trust was found between 2020 and 2021 to have exposed extraneous data in spreadsheets sent as part of Freedom of Information responses, and that the service’s Digital division once exposed hundreds of email addresses via a failed BCC attempt when emailing attendees of a cybersecurity event.

What this means for patients, NHS Forth Valley, and regulators

  • Patients and new mothers: immediate concern is practical and psychological — the report records at least one woman describing anxiety about her details being public, and the trust has attempted to allay that by direct contact.
  • NHS Forth Valley and staff: the trust has opened an internal investigation, notified affected women and told regulators; it must now establish how a staff member moved the spreadsheet to a personal account and whether deletion claims can be verified.
  • Police Scotland and the Information Commissioner's Office: both have been made aware of the incident and will be in a position to assess whether regulatory or criminal thresholds have been met, based on the trust’s notifications and ongoing inquiries.

The immediate record from NHS Forth Valley is straightforward: a spreadsheet containing an extract from the maternity system was transferred to a personal email address, affected women have been contacted, an internal investigation is under way, and regulators and police have been notified. The next factual milestones will be the investigation’s findings and any formal conclusions from the Information Commissioner’s Office or Police Scotland about whether the deletion was effective or the data were shared beyond the staff member’s account.

Source: The Register