Figures released to the privacy campaign group Big Brother Watch show that 806 separate incidents involving patient medical records being compromised took place at 152 NHS trusts between July 2008 and July 2011.
The group, which obtained data from the majority of NHS organisations in the UK, found that breaches included 23 incidents of patient information being posted on social networking sites by staff, 129 separate instances of NHS employees looking up details of colleagues and family members and 57 incidents involving unsecured confidential information being stolen or lost by staff.
Of the 129 incidents concerning healthcare staff inappropriately looking up patient information, 91 related to an NHS employee illicitly viewing the confidential medical details of a colleague. In some cases the individual was found to have revealed the information to other staff.
The 23 incidents relating to breaches involving social media shows that 11 trusts released details of such incidents, in which 13 medical personnel were involved. One of the cases resulted in the dismissal of the employee. Over the last three years 102 health service employees have been dismissed for breaching data protection.
Nick Pickles, director of Big Brother Watch, said: "This research highlights how the NHS is simply not doing enough to ensure confidential patient information is protected.
"The information held in medical records is of huge personal significance and for details to be disclosed, maliciously accessed or lost and these cases represents serious infringements on patient privacy."
The group obtained the data through freedom of information requests sent to 428 trusts in England, Scotland, Wales and Northern Ireland. It received responses from 354 trusts, with 55 providing partial responses and 74 not replying.
Commenting on the findings, health minister Simon Burns said: "It is completely unacceptable for staff with no involvement in providing or supporting care to access confidential patient information. Patients have a right to expect that their personal medical information is kept private.
"We have issued clear standards and guidance to the NHS about what needs to be done to keep patient records secure and confidential. Individual NHS organisations are responsible for ensuring their staff understand and follow that guidance. Any member of staff discovered intentionally breaching this should be subject to appropriate disciplinary action."
The group's findings follow the justice committee's recent backing for the Information Commissioner's Office (ICO) to gain more powers. A report by the committee said that the ICO should have the power to issue custodial sentences for breaches of the Data Protection Act. At present it can only issue fines to organisations which breach the act. Its report also said that the privacy watchdog has limited powers to prevent data protection breaches, particularly in the healthcare sector.
