Cambridge University Hospitals (CUH) Trust has admitted it suffered two data breaches in 2020 and 2021 because of mismanaged Freedom of Information (FoI) requests.
In a statement on the Trust’s website, chief executive Roland Sinker apologised to patients for the two data breaches, which he said have recently come to light.
Both were the result of mistakenly including patient information in Excel spreadsheets in response to Freedom of Information Act (FOI) requests. The information included the patients’ names, hospital numbers and some medical information.
No home addresses or dates of birth were included, and Sinker said there was no evidence in either case of the information being accessed or shared any further.
FoI request error
The first case related to data provided in a FoI request via the What Do They Know website.
“In responding to the request, we mistakenly shared some personal data which was not immediately visible in the spreadsheet we provided but which could be accessed via a ‘pivot table’,” said Sinker.
This data related to 22,073 patients booked for maternity care at The Rosie Hospital between 2 January 2016 and 31 December 2019. It included the names and hospital numbers of patients and their birth outcomes.
The What Do They Know website group alerted the Trust to the breach which removed the information from their own website.
Sinker said after discovering that data breach, it undertook a review of the 8000 FoI requests the Trust has responded to in the past 10 years. In doing so, it found one further case where patient data was mistakenly contained in a spreadsheet sent in 2021 as part of a FOI response to Wilmington PLC. The Trust has requested confirmation from Wilmington PLC that it has been deleted.
This data related to 373 cancer patients on clinical trials and included their names, hospital numbers and some medical information.
Sensitivity of information
Sinker said while there is no evidence in either case of the information being accessed or shared beyond the original recipients, “we recognise that such errors are unacceptable given our clear duty to maintain the confidentiality of patient information.
“We want to apologise unreservedly to our patients for the worry and concern that this news may cause.”
If you liked this content…
The chief exec said the Trust has chosen not to contact some patients affected directly after giving “careful consideration to the benefits and risks of writing to the patients affected.
“Given the sensitivity of the maternity information, we believe that some patients may wish to avoid any risk of family members finding out about a previously undisclosed pregnancy. It is also straightforward for this group of patients to identify themselves based on the date range above. Therefore, we have decided not to write directly to these patients.”
This is not the case for the cancer patients, for whom self-identification would be less straightforward based on the same level of information, and so he said the Trust has written to these patients directly.
The Trust has informed the Information Commissioner’s Office (ICO) about both data breaches and have said it has taken immediate steps to strengthen its FOI processes “to ensure that this kind of human error does not take place again.”
Call for a full review
“We are pleased that robust plans have been put in place to support any service users who have been affected, both with the data implications but also with support for mental health or anxieties this news may bring,” said Caroline Zwierzchowska-Dod, lead for the service user partnership group Rosie Maternity and Neonatal Voices. “We encourage any women, birthing people and their families affected to reach out to the helpline if they would like to discuss the impact this has on them and their wellbeing.”
Anthony Browne, MP for South Cambridgeshire described the breach as “concerning for those affected,” but said he was “reassured that CUH has acted promptly to put measures in place to prevent this happening again.”
MP for Cambridge Daniel Zeichner called for a full review “to ensure that this cannot happen again.”
FoI breaches becoming widespread
In August, personal details of police officers and staff in Northern Ireland were made public in error by police as they responded to a routine freedom of information (FoI) request.
Last month Southend Council referred itself to the ICO following a data breach in May which saw a spreadsheet containing anonymised job role and structure data for one department uploaded online in response to an FoI request.
Dominic Trott, UK director of strategy and alliances at Orange Cyberdefense, said that the issue of FoI breaches is becoming widespread, and that public sector bodies need to augment their security measures as a result. He believes in an approach driven by people, process, and technology to ensure that if one element fails (the people side in this case) the others will ensure security is maintained.
“Using the combined power of ‘people, process and technology’ to uphold data security measures can mitigate numerous breaches by adding layers of security and providing a safety net if one element fails. In practice, this means driving awareness campaigns for staff that handle sensitive data, implementing procedural updates to ensure security protocols are adhered to, and deploying technology to identify and defend against risk where possible.”
