A public hospital in the UK had to study the process of processing information for 10 years.
More than 22,000 patients at Cambridge University Hospitals NHS Foundation Trust were victims of data breaches that occurred between 2020 and 2021. In both cases, the organization itself provided the data in response to requests made under the Freedom of Information Act (FOIA) of 2000. Confidential information remained visible in the pivot tables of Excel spreadsheets.
Most of the patients whose data were released to the public (22,073) were patients in The Rosie Hospital maternity ward on the grounds of Addenbrooke's Hospital. The information disclosed included names and medical details of birth outcomes and dates of conception.
Female patients who made appointments at Rosie Hospital between 2 January 2016 and 31 December 2019 were affected by the leak, which was published on the website WhatDoTheyKnow, which allows citizens to make FOIA-based requests to the UK authorities. The site deleted the data after learning about its disclosure. The data was available on WhatDoTheyKnow from November 18, 2020 to November 1, 2023.
The Freedom of Information (FOIA) request itself contained information on a number of issues, including the number of pregnant women, preterm birth rates, and infant mortality.
An additional case of data leakage from 373 patients who participated in cancer clinical trials in 2021 was also detected. In this case, the information was provided to a private company, Wilmington PLC, which owns brands in the publishing, information and training sectors, with a particular focus on regulatory compliance, law and healthcare.
The NHS Foundation Trust has sent a letter to Wilmington PLC asking it to delete the transmitted data. The FoI request requested details related to the treatment of patients with specific types of cancer within the last 6 months of the request being submitted.
The hospital's management conducted an audit of all FOI requests over the past 10 years (approximately 8,000 responses) and strengthened control over the FOI process by prohibiting the use of Excel spreadsheets in responses. The Information Commissioner's Office (ICO) was informed of the incidents, and the NHS cyber Security Service gave assurances that the data was not available online.
The hospital's management acknowledged that such errors are unacceptable, given the institution's duty to maintain the confidentiality of patient information, and apologized to patients for the concern that the message may have caused. Affected patients can receive support via a toll-free phone number or email, information about which is available on the hospital's website.
Recall that the Freedom of Information Act has previously caused data leaks. So, in 2011, the British Dumfries and Galloway Regional Council mistakenly published personal information about 900 current and former employees. The publication of the information was a response to one of the requests made as part of an investigation related to the application of the Freedom of Information Act.
More than 22,000 patients at Cambridge University Hospitals NHS Foundation Trust were victims of data breaches that occurred between 2020 and 2021. In both cases, the organization itself provided the data in response to requests made under the Freedom of Information Act (FOIA) of 2000. Confidential information remained visible in the pivot tables of Excel spreadsheets.
Most of the patients whose data were released to the public (22,073) were patients in The Rosie Hospital maternity ward on the grounds of Addenbrooke's Hospital. The information disclosed included names and medical details of birth outcomes and dates of conception.
Female patients who made appointments at Rosie Hospital between 2 January 2016 and 31 December 2019 were affected by the leak, which was published on the website WhatDoTheyKnow, which allows citizens to make FOIA-based requests to the UK authorities. The site deleted the data after learning about its disclosure. The data was available on WhatDoTheyKnow from November 18, 2020 to November 1, 2023.
The Freedom of Information (FOIA) request itself contained information on a number of issues, including the number of pregnant women, preterm birth rates, and infant mortality.
An additional case of data leakage from 373 patients who participated in cancer clinical trials in 2021 was also detected. In this case, the information was provided to a private company, Wilmington PLC, which owns brands in the publishing, information and training sectors, with a particular focus on regulatory compliance, law and healthcare.
The NHS Foundation Trust has sent a letter to Wilmington PLC asking it to delete the transmitted data. The FoI request requested details related to the treatment of patients with specific types of cancer within the last 6 months of the request being submitted.
The hospital's management conducted an audit of all FOI requests over the past 10 years (approximately 8,000 responses) and strengthened control over the FOI process by prohibiting the use of Excel spreadsheets in responses. The Information Commissioner's Office (ICO) was informed of the incidents, and the NHS cyber Security Service gave assurances that the data was not available online.
The hospital's management acknowledged that such errors are unacceptable, given the institution's duty to maintain the confidentiality of patient information, and apologized to patients for the concern that the message may have caused. Affected patients can receive support via a toll-free phone number or email, information about which is available on the hospital's website.
Recall that the Freedom of Information Act has previously caused data leaks. So, in 2011, the British Dumfries and Galloway Regional Council mistakenly published personal information about 900 current and former employees. The publication of the information was a response to one of the requests made as part of an investigation related to the application of the Freedom of Information Act.
