The Cambridge University Hospitals (CUH) NHS trust has admitted two data breaches that saw information from more than 22,000 maternity hospital and cancer patients made available online. The trust says it has not found evidence that the data has been accessed by third parties.
Patient names, hospital numbers and some medical information were included in the leaks, which occurred when the hospital was responding to requests under the Freedom of Information Act (FOI). Other public sector organisations have had similar data breaches exposed in recent months.
CUH is the NHS foundation trust that runs Addenbrooke’s Hospital, one of the UK’s largest teaching hospitals, and the Rosie Maternity Hospital in Cambridge. CUH staff treated over one million patients in the year to April 2022, with 100 babies a week born at The Rosie.
Cambridge University Hospitals admits data breach
The data breaches took place in 2020 and 2021 according to CUH chief executive Roland Sinker. The first case relates to data provided in an FOI request via the What Do They Know website. In responding to the request, Sinker said the trust “mistakenly shared some personal data which was not immediately visible in the spreadsheet we provided but which could be accessed via a ‘pivot table’”.
This data related to 22,073 patients booked for maternity care at the Rosie between 2 January 2016 and 31 December 2019, and included the names and hospital numbers of patients and their birth outcomes, Sinker said. CUH was alerted to the error by What Do They Know, which removed the information.
Subsequently, CUH conducted a review of all FOI requests it had responded to in the past decade, and discovered another case where patient data was mistakenly contained in a spreadsheet sent in 2021 as part of an FOI response to Wilmington PLC, a company that provides intelligence, advice and training around regulatory compliance. This data related to 373 cancer patients on clinical trials and included their names, hospital numbers and some medical information, and CUH said it had contacted Wilmington to check it had been deleted.
Sinker said: “While there is no evidence in either case of the information being accessed or shared beyond the original recipients, we recognise that such errors are unacceptable given our clear duty to maintain the confidentiality of patient information.”
He added that CUH apologises “unreservedly to our patients for the worry and concern that this news may cause”.
CUH is writing to the affected cancer patients, but will not contact patients hit by the first breach due to the sensitivity of maternity information. Patients who think they have been impacted by the breach are being urged to contact the hospital trust for more information.
Data watchdog the Information Commissioner’s Office has been informed, CUH said.
Cambridge MP Daniel Zeichner said: “This a serious data breach, which should not have happened. I am pleased that once they were aware, the trust has acted swiftly and responsibly, in consultation with patient groups, and has put in place sensible measures to support those affected.
“Anyone concerned should contact the trust for support. There now needs to be a full review to ensure that this cannot happen again.”
The perils of FOI requests and data breaches
Cambridge University Hospitals is not the first public sector organisation to suffer a data breach relating to an FOI request.
In August, information on a “substantial number” of the Police Service of Northern Ireland’s 10,000 staff was inadvertently posted online as part of an FOI response. Though it was taken down hours later, many staff were reportedly left fearing they could be targeted by paramilitary groups after having their identities exposed.
A month later, Norfolk and Suffolk police said the personal details it held on 1,000 victims of crime, witnesses and suspects had been posted online. The information, which was stored in a database jointly held by the two forces, related to a range of offences including domestic incidents, sexual offences and hate crimes.
The information was included in a response to FOI requests about crime statistics for the period April 2021 to May 2022. The police forces said at the time that they did not have any evidence that the data had been misused and that they would be contacting those affected.