NHS employees breached data protection policies at least 806 times in the past three years, a report has revealed.

The incidents happened between July 2008 and July 2011 across 152 trusts, according to the report by campaign group Big Brother Watch.

The figures, released following a Freedom of Information Act request, showed there were 23 incidents where NHS staff were found to have posted confidential medical information on social networking sites – either mentioning a patient’s name, commenting on them or sharing details from their confidential records. In one instance at Nottingham University Hospital Trust a doctor was dismissed after posting a picture of a patient on Facebook.

There were more than 90 incidents where NHS employees inappropriately accessed or used the private medical information of their colleagues, and more than 30 incidents where they sought information on family members. The actions have led to 102 NHS staff being sacked.

The figures also showed unsecured confidential medical information was lost on 57 occasions across 24 trusts.

Information commissioner Christopher Graham warned in July that a culture change was needed within the health service to ensure patients’ personal information was kept secure.

A spokesman for the Information Commissioner’s Office said: “The health service holds some of the most sensitive personal information available.

“It is therefore vitally important that organisations across the NHS make sure that they are taking adequate measures to keep patients’ information secure.”

Health minister Simon Burns said: “It is completely unacceptable for staff with no involvement in providing or supporting care to access confidential patient information.”