HQ/EMEAFind out how we can help your business
British public healthcare provider Cambridge University Hospitals NHS Foundation Trust has recently confirmed two data breaches originating from the accidental disclosure of patient data they store within Excel spreadsheets in response to Freedom of Information (FOI) requests.
The initial breach occurred in response to an FOI request submitted via the What Do They Know website. The affected entity’s CEO clarified that the Trust mistakenly shared personal data that was not immediately visible in the provided spreadsheet but accessible through a ‘pivot table.’
This compromised database displayed 22,073 patients receiving maternity care at The Rosie Hospital between January 2, 2016, and December 31, 2019, including details such as names, hospital numbers, and birth outcomes.
The Cambridge University Hospitals breach is eerily similar to another incident this year.
According to investigations, this data leak incident at Cambridge University Hospitals is comparable to a more severe incident earlier in the year at the Police Service of Northern Ireland (PSNI).
The sensitive information in this incident has also leaked through What Do They Know, concealed by a pivot table. In response to such incidents, the ICO called for an immediate halt to using Excel spreadsheets for FOI data publication and published guidance regarding pivot tables.
The affected healthcare institution became aware of the breach when What Do They Know administrators discovered it and promptly removed the exposed information from their website. This discovery prompted a comprehensive investigation by the NHS Trust into FOI requests handled over the past ten years, leading to the discovery of a second breach in 2021.
In the 2021 incident, a spreadsheet sent to Wilmington PLC inadvertently included names, hospital numbers, and some medical information for 373 cancer patients undergoing clinical trials.
As of now, the CEO said that their company had opted not to notify the maternity patients affected by the initial breach directly since they believe that some patients might wish to avoid the risk of family members knowing an undisclosed pregnancy.
On the other hand, the hospital took a different approach for cancer patients, recognising that self-identification would be difficult for this group based on the available information. The compromised institution communicated directly with the cancer patients involved in this breach, indicating how it is as challenging for affected parties to deal with data breaches as human lives.
