- Almost 500 junior doctors’ personal details were published in a downloadable spreadsheet last week
- Data included national insurance numbers, addresses and phone numbers
- St Helens and Knowsley Teaching Hospitals Trust launches an investigation
Hundreds of junior doctors’ personal details were mistakenly published online by an NHS trust.
HSJ learned of the data security breach on Friday from concerned junior doctors who realised their personal details were accessible simply by using internet search engines.
The search results linked to a downloadable spreadsheet on a website that was part of St Helens and Knowsley Teaching Hospitals Trust’s web domain.
The document showed 496 junior doctors’ personal details. The 19 columns included information such as where they worked in the North West, home addresses, national insurance numbers, email addresses and mobile phone numbers.
It is not known how long the spreadsheet had been available online.
It was taken down by the trust immediately after concerned staff contacted its communications team on Friday afternoon, though it was still available for several hours after HSJ learned of the breach.
HSJ delayed publication of this story until today to allow the trust to fully remove the data over the weekend. The trust said today any risk to individuals was minimal and an investigation was underway.
One junior doctor whose details were included in the spreadsheet said they could not believe so much data was made available.
They said: “I didn’t think all of that would be accessible from Google but I tried it and there it was: all my personal information out there for the whole world to see and download.
“I’m glad the trust acted so quickly but this should never have been loaded on to the website in the first place. It has left all of us potentially at risk of identity theft or fraud or worse. It’s pretty shocking.”
The trust said it had contacted the Information Commissioner’s Office and was in contact with the junior doctors affected.
It said while the website was part of its sthk.nhs.uk web domain, the page where the data was published was hosted by an external supplier.
A trust spokeswoman said: “On Friday 28 July the trust was made aware of a data breach relating to a particular cohort of lead employer trainees via a website hosted by an external IT supplier. The data was immediately removed and an investigation commenced.
“The data breach has been reviewed independently and the trust has been assured that the risk to personal security is minimal. The trust has informed the Information Commissioner’s Office and will be providing a full report upon completion of an investigation.
“We continue to liaise with the trainees affected and have apologised profusely for any distress or inconvenience caused.”
Information provided to HSJ
28 July 2017