NHS Forth Valley Investigates Data Breach Involving Maternity Patient Information
NHS Forth Valley is investigating a data breach where a staff member emailed a spreadsheet containing personal details of approximately 150 maternity patients to their personal account.

NHS Forth Valley, a health board serving the region between Edinburgh and Glasgow, is currently investigating a data breach that exposed the personal information of around 150 women who had accessed its maternity services. The incident occurred when a staff member transferred a spreadsheet containing patient data from the maternity system to their personal email account.
A spokesperson for NHS Forth Valley confirmed the internal investigation, stating that while the majority of the information in the spreadsheet was unidentifiable, it did contain specific details pertaining to a number of women. The Trust has proactively reached out to all affected patients to inform them of the breach. Additionally, the Information Commissioner's Office and Police Scotland have been notified of the incident.
Details within the compromised spreadsheet reportedly include full names, dates of birth, NHS numbers, specific pregnancy treatment information, and the total number of children each patient has. The affected staff member claims to have deleted the data from their personal account and has advised that there is no evidence of the information being shared more widely at this stage.
One patient, who was among the approximately 150 women impacted, expressed significant anxiety to local media about her personal details being exposed. She was informed by NHS Forth Valley that the data transfer was allegedly for analytical purposes and that the staff member involved was fully qualified and not in a junior role.
This incident adds to a concerning pattern of data mishandling within the UK's National Health Service. Past breaches have involved mishandling patient data through improperly secured emails, including accidental exposure via CC fields instead of BCC, and exposing extraneous data in responses to Freedom of Information requests.
The NHS has a history of such email-related blunders, including instances where hundreds of email addresses were exposed due to failed BCC attempts when communicating with attendees of cybersecurity events. These recurring issues highlight persistent challenges in data security practices across the healthcare sector.
While NHS Forth Valley is conducting its investigation and has taken steps to notify relevant authorities and affected individuals, the breach underscores the critical need for robust data protection protocols and ongoing staff training to prevent similar incidents in the future. The potential impact on patient trust and privacy remains a significant concern.
The Trust is cooperating fully with the Information Commissioner's Office and Police Scotland as the investigation progresses. Further updates are expected as the internal review concludes and more information becomes available regarding the exact nature of the data and the circumstances surrounding its transfer.