More than a dozen cases of wrongful access to medical records have taken place at the NHS Trust that runs York and Scarborough hospitals.
In the past five years, almost 20 staff members have wrongfully accessed medical records at the York and Scarborough Teaching Hospitals NHS Foundation Trust.
A Freedom of Information (FoI) request also revealed that of the 18 cases recorded since 2021, eight cases were referred to the Information Commissioner’s Office.
The issue of wrongful access to medical records has received increased attention after staff at other trusts in England have been dismissed and investigated for inappropriately accessing the records of victims of the 2023 Nottingham attack and the 2024 Southport attack, respectively.
The ICO has warned of a “worrying trend that requires a serious response across the healthcare sector”.
No staff members at the NHS Trust, which runs York, Scarborough, and Bridlington hospitals, were recorded as having been involved in more than one incident of wrongful access to patient records.

The FoI request, submitted by the Local Democracy Reporting Service (LDRS), sought to ascertain whether any staff had been dismissed for wrongfully accessing medical records.
However, the NHS Trust said it was unable to provide that information as “such matters are investigated on a case-by-case basis” and “in some cases, an employee may leave the Trust before an investigation concludes, as a result, we are unable to provide an accurate year-by-year figure for dismissals relating solely to this issue”.
A spokesperson for York and Scarborough Teaching Hospitals NHS Foundation Trust said: “We take patient confidentiality extremely seriously and expect all staff to uphold the highest standards when accessing patient information.
“Access is permitted only when it is directly relevant to a patient’s care, is closely monitored and audited, and any suspected breach of policy is thoroughly investigated.”
The spokesperson added: “Where inappropriate access is substantiated, appropriate action is taken, which may include disciplinary action or referral to professional regulators.
“All staff complete mandatory information governance training, with annual refresher training, and are regularly reminded of their responsibility to keep patient information safe.”

Paul Arnold, chief executive officer of the Information Commissioner’s Office (ICO), said the watchdog received “a number of reports from organisations about these breaches”.
“Recent high-profile cases point not to isolated incidents but to a worrying trend that requires a serious response across the healthcare sector.
“As I highlighted in my recent evidence to the Nottingham Inquiry, I believe this is primarily a cultural challenge.
“When a local incident becomes national news – a serious crime, a public tragedy, a story that captures widespread attention – there is an increased risk that healthcare staff could be tempted to look at records they have no reason to view.”
Mr Arnold added: “In many healthcare cases, staff have legitimate access to these systems. Patients can be transferred to their care at a moment’s notice, and fast access to medical information is essential to delivering safe care.
“But having the ability to view a record is not the same as having a legitimate need to do so. Most of the time, this distinction is well understood, but in rare cases, it is clear that curiosity or more concerning motives can cause people to access information without authorisation.
“This is not an excuse. Knowingly or recklessly accessing personal data without authorisation for whatever reason is against the law.
“The consequences are real – disciplinary action, loss of professional accreditation and prosecution in some cases, and lasting harm to patients. And so is the damage done to the professional integrity of the many healthcare workers who do the right thing every day.”












