• Cambridge University Hospitals “apologises unreservedly” for two breaches
  • Trust wrongly released names, patients’ hospital numbers and “some medical information”
  • Breaches happened in 2020 and 2021 but had only “recently come to light”

A major teaching trust mistakenly released private information belonging to more than 22,000 patients in two major data breaches.

In a statement, Cambridge University Hospitals Foundation Trust “apologised unreservedly” for the breaches, which it said were “unacceptable given our clear duty to maintain the confidentiality of patient information”.

The trust said the breaches, both of which involved the trust’s responses to Freedom of Information requests, happened in 2020 and 2021 but had only “recently come to light”.

The first breach related to maternity patients and involved the release of “names, hospital numbers of patients and their birth outcomes”, and the second breach related to cancer patients and included “names, hospital numbers and some medical information”.

CUH chief executive Roland Sinker said in a statement: “Both [breaches] were the result of mistakenly including patient information in Excel spreadsheets in response to Freedom of Information Act requests. The information included the patients’ names, hospital numbers and some medical information.

“No home addresses or dates of birth were included, and we have found no evidence in either case of the information being accessed or shared any further.”

Maternity data

The maternity data breach involved data relating to 22,073 patients booked for care at The Rosie Hospital between 2 January 2016 and 31 December 2019, with the data being published to the What Do They Know Website. Mr Sinker’s statement explained the personal data was not “immediately visible in the spreadsheet” the trust provided but could be accessed using a pivot table.

He added: “The What Do They Know website group alerted the trust to the breach and promptly removed the information from their own website.”

University Hospital Southampton FT reported a similar breach yesterday although it related to just 112 maternity patients. The data breach also occurred following an FOI request which was published on the What Do They Know website in November 2020. UHS apologised in a statement  which said the patients involved had been seen by the trust between 2016 and 2019.

It is not yet clear if any other trusts have experienced similar issues in terms of data breaches relating to FOI requests which have been published on What Do They Know.

Second breach found

CUH said the maternity data incident prompted it to review around 8,000 FOI requests from the last 10 years, which is how it discovered the second breach of 373 cancer patients on clinical trials as “part of an FOI response to Wilmington PLC. We have requested confirmation from Wilmington PLC that it has been deleted.”

Wilmington owns HSJ, but the FOI request was related to the company’s research business and was not an editorial inquiry. Wilmington confirmed that it had received the request to delete the data and would comply.

Mr Sinker added: “While there is no evidence in either case of the information being accessed or shared beyond the original recipients, we recognise that such errors are unacceptable given our clear duty to maintain the confidentiality of patient information.

“We want to apologise unreservedly to our patients for the worry and concern that this news may cause.”

The trust said it had decided not to write directly to the maternity patients because “given the sensitivity of the maternity information, we believe that some patients may wish to avoid any risk of family members finding out about a previously undisclosed pregnancy.

“It is also straightforward for this group of patients to identify themselves based on the date range above. Therefore we have decided not to write directly to these patients.”

CUH CEO’s statement said this was “not the case for the cancer patients, for whom self-identification would be less straightforward based on the same level of information, and so we have written to these patients directly”.

The trust has set up a dedicated freephone helpline 0808 175 6331, email support and published a frequently answered questions  section on its website for patients who think they might be affected. The Information Commissioner’s Office has been informed.

Local MPs Anthony Browne and Daniel Zeichner called for “a full review to ensure that this cannot happen again” but praised the trust for acting “swiftly and responsibly, in consultation with patient groups”.

HSJ Digital Transformation Summit | 8-9 February 2024, Park Regis Birmingham

Join 120+ digital, clinical and operational board leaders from across the ICS and provider landscape at the HSJ Digital Transformation Summit, on 8 – 9 February 2024, Park Regis Birmingham.

Discover how to maximise the potential of digital within your organisation, to fundamentally transform health service delivery, and discover strategies and solutions to the pressing system challenges of today.

Benefit from 30+ interactive sessions with dedicated Q&A time to share/learn best practice and raise challenges with 40+ expert speakers, in a safe Chatham House Rule environment.

Delegate places are fully funded and include overnight accommodation at the Park Regis, and a seat at the networking dinner with an engaging after dinner speaker on 8 February.

Register now to secure your place.