Cambridge University Hospitals NHS Foundation Trust has acknowledged two historical data breaches, both originating from the unintended disclosure of patient data through Excel spreadsheets in response to Freedom of Information (FOI) requests. CEO Roland Sinker disclosed the incidents, noting that the first breach, which took place in 2021, had recently come to light. In this case, personal data related to 22,073 maternity care patients at The Rosie Hospital was mistakenly shared through a FOI request, with the data accessible via a ‘pivot table.’ The breach was reminiscent of a similar incident at the Police Service of Northern Ireland earlier that year.
The breach was discovered by administrators at the What Do They Know website, prompting the immediate removal of the exposed information. Subsequent investigations by the NHS trust into its FOI requests from the past decade revealed another breach in 2021. In this incident, a spreadsheet sent to Wilmington PLC inadvertently included names, hospital numbers, and some medical information of 373 cancer patients participating in clinical trials.
The trust decided not to directly notify the maternity patients affected by the first breach, citing concerns about the sensitivity of the information and the potential risk to undisclosed pregnancies becoming known within families. For the cancer patients, direct communication was deemed necessary due to the complexity of self-identification based on the available information. The incidents underscore the challenges associated with handling sensitive medical data and the inadvertent risks posed by Excel spreadsheets in FOI responses, echoing recent guidance from the Information Commissioner’s Office (ICO) calling for caution in using Excel for publishing FOI data.
The breaches highlight the need for ongoing vigilance in data handling practices, especially in the context of FOI requests, and the healthcare sector’s commitment to ensuring patient privacy amid evolving threats and data security challenges.