Exclusive:Revealed: The scale of pay-outs to victims for NHS Scotland data breaches

Pay-out figures for the past five years can be exclusively published following a recent cyber attack on NHS Dumfries & Galloway, during which criminals managed to get their hands on a “significant quantity” of data and attempted to blackmail the health board for the return of the information.

Freedom of Information requests to Scotland’s other health boards have revealed many have been forced to hand pay-outs to patients and staff who had their data accessed.

NHS Greater Glasgow & Clyde has paid out £27,050 to 15 people in the past five years, but would not say whether these were staff or patients.

NHS Tayside has paid out the most over the same period, giving £41,050 in total following 13 claims for data breaches.

NHS Highland, too, has paid out £36,250 to at least one patient, while NHS Lothian has paid at least four patients a total of £23,250.

In total, NHS Scotland health boards paid out £154,100 to at least 29 people.

NHS Dumfries & Galloway had previously announced stolen data included information that could identify patients and staff, and has called in the Scottish Government, Police Scotland and the National Cyber Security Centre to deal with the issue.

The health board’s chief executive, Julie White, has apologised to patients and staff and confirmed some children’s mental health data has been published by the perpetrators of the attack.

Scottish Conservative MSP Maurice Golden said the issue of health boards being hacked and patient data published was “an increasing threat”.

“We’ve seen some really bad cases in Scotland and in England recently, and the problem is not going away,” he said.

“These figures show there have been a number of data breaches across the country, costing the health service an unnecessary amount of money. They will also have caused patients and staff unnecessary anxiety.

“We need assurances from the Scottish Government that it is on top of this problem and putting in place measures to ensure breaches do not continue.”

NHS Dumfries and Galloway has sent leaflets out to every address in its area, alerting patients to the cyber attack and informing them of their rights.

In a statement posted to its website, the board said: “During these incursions into our systems, there is a risk that hackers have been able to acquire a significant quantity of data. Work is continuing together with cyber security agencies to investigate what data may have been accessed, but we have reason to believe that this could include patient-identifiable and staff-identifiable data.”

A NHS Tayside spokesperson said: “We take the security of information very seriously and make every effort to ensure that patient and staff data is secure and only accessed when appropriate. When there is a data breach, we take action as quickly as possible to investigate and manage the situation and, where appropriate, those affected may receive compensation.”

A statement from NHS Greater Glasgow & Clyde said: “While we do not discuss individual settlements, we take any data breach seriously and regularly monitor and update our practices.”

A Scottish Government spokesperson said: “The privacy of all patients and service staff is paramount. We expect NHS boards and other partners to protect and respect patients’ rights at all times.”