Insider threat: NHS staff warned they’ll be fired or even jailed for accessing patient records illegally
The campaign follows several incidents of staff being dismissed from their posts after accessing the medical records of victims of high-profile crimes

Image by Cybernews.
- The NHS warns staff that unlawful patient-record access can lead to dismissal, prosecution, and imprisonment
- Recent snooping incidents exposed vulnerable patients, prompting stricter guidance and real-time monitoring alerts
- xperts note insider misuse of legitimate access is harder to detect than external cyberattacks
In May, the NHS, the publicly funded healthcare provider in the UK, granted Palantir “unlimited access” to millions of people’s data, but it has now warned staff that they face the sack or even prison if they access patient records without a legitimate reason.
According to Sir Jim Mackey, head of the NHS, staff snooping on medical records for personal reasons or out of curiosity was “wholly unacceptable, a disgraceful breach of patient trust and against the law.”
The NHS campaign follows several incidents of staff being dismissed from their posts after accessing the medical records of victims of high-profile crimes, including Nottingham attacks.
A series of incidents
The Nottingham attacks occurred in June 2023, when three people were fatally stabbed, and three others were seriously injured in a series of violent incidents across Nottingham.
The perpetrator, Valdo Calocane, a former university student with a diagnosis of paranoid schizophrenia, pleaded guilty, and widespread misconduct was uncovered regarding the unauthorized accessing of the victims’ medical and police records.
Has your password leaked?
In June, Cambridge University Hospitals also announced they were investigating a potential data breach after 40 people were found to have accessed the medical records of a three-year-old who was allegedly thrown into a crocodile pit.
And in another incident, a healthcare worker at a London clinic who tried to sell the Princess of Wales’s private medical records was cautioned by the Information Commissioner’s Office (ICO), the UK’s data watchdog, earlier this month over the “deliberate misuse” of those records for financial gain.
Back then, this particular incident prompted the ICO chief, Paul Arnold, to remind healthcare staff that it was illegal to view medical records without a legitimate reason: “Having the ability to view a record is not the same as having a legitimate need to do so.”
The new guidance sets out the different types of unlawful access, and makes clear that where it occurs, employers may report it to the ICO and police – both of whom have the power to pursue a criminal prosecution – as well as to professional regulators, which can end a career.
Having the ability to view a record is not the same as having a legitimate need to do so,Paul Arnold
As a bonus, some newer electronic patient record systems may now be able to identify unlawful access in real time, with the capability to set up alert ‘flags’ to identify suspicious activity, the NHS said in a press release.
Under-discussed risk
“While the majority of NHS staff handle patient information responsibly and professionally every day, it’s been incredibly worrying that a small number have chosen to undermine the trust that patients place in them and cause such additional distress for families who deserved so much better from us,” said Sir Mackey.
Graeme Stewart, head of public sector at Check Point, told Cybernews that the campaign also serves as a reminder that not every data breach comes from outside the network.
“Insider threat is one of the most persistent and under-discussed risks in cybersecurity, precisely because the person accessing the data isn’t a hacker breaking down a digital door: they’re an employee with a valid login, walking through one that’s already open,” said Stewart.
The NHS gave Palantir, the US spy tech company, and other external contractors “unlimited access” to millions of people’s data in 2023.
“That makes it far harder to spot using traditional security tools, which are built to keep unauthorized users out, not to question why an authorized user is looking at a record they have no clinical reason to see.”
Still, all this is rather ironic as the NHS gave Palantir, the US spy tech company, and other external contractors “unlimited access” to millions of people’s data in 2023.
Palantir’s high-profile contract with the NHS, valued at £330 million ($444 million) and designed to collate disparate data into a single system to support decision-making by healthcare professionals, is now under scrutiny.