December 7, 2023 at 07:46AM
Over 22,000 patients’ data were exposed by Cambridge University Hospitals NHS Foundation Trust due to errors responding to Freedom of Information requests. Maternity and cancer patient details were inadvertently revealed. The Trust has since audited past FoI responses, improved data security measures, and is cooperating with the ICO.
Meeting Takeaways:
1. Data Breach Incident: Cambridge University Hospitals NHS Foundation Trust experienced data leaks affecting over 22,000 patients between 2020 and 2021.
2. Cause of Leak: The data was disclosed inadvertently via Excel pivot tables included in information released under Freedom of Information Act requests.
3. Patients Affected: The majority were maternity patients at The Rosie Hospital (22,073 individuals), with exposed data including names, hospital numbers, and sensitive medical details.
4. Public Exposure: The leaked information was posted to the FoI website WhatDoTheyKnow and was available from November 18, 2020, to November 1, 2023, before being removed.
5. Secondary Exposure Incident: A separate leak involved the data of 373 cancer patients in clinical trials, released to Wilmington PLC.
6. Trust’s Response: The NHS cybersecurity team aided in removing online data traces, a ten-year audit of past FoI responses was conducted, and an external FoI process review was initiated, ceasing spreadsheet responses.
7. Apology and Justification: The trust issued an apology and explained the decision not to contact all affected patients directly due to the potential sensitivity surrounding the disclosed information.
8. Support for Affected Individuals: Affected parties are encouraged to use the trust’s provided freephone and email support services.
9. Political Reaction: Daniel Zeichner, MP for Cambridge, acknowledged the trust’s swift action, emphasized the need for continued support, and called for a review to prevent future incidents.
10. Regulatory Attention: The Information Commissioner’s Office (ICO) is aware of the breach and reiterated warnings to public authorities against using raw spreadsheets for FoI responses, demanding better data protection measures.
11. Contextual Breaches: The incident is part of a series of data breaches in UK public sector organizations, including police forces and third-party suppliers, highlighting systemic issues within public data handling practices.
Actions Taken:
– The trust has apologized to patients and the public.
– Measures to support affected individuals have been put in place.
– An external review of the FoI process has been commissioned.
– ICO has been informed and is assessing the situation.
Recommendations:
– Patients concerned about the breach should contact the trust for support.
– A full review is needed to prevent future breaches.
– Public authorities should implement robust measures for personal data protection.
– The trust has enhanced scrutiny of its FoI responses and prohibited spreadsheet use.
Please note that while the IC has been made aware of the situation, there may be further developments in how the trust and regulatory bodies handle the breach following this meeting.