The Cambridge University Hospitals NHS Foundation Trust has confirmed two separate incidents of data breaches involving the inadvertent release of patient information through Excel spreadsheets. The breaches occurred in response to Freedom of Information (FOI) requests and were disclosed by the Trust’s CEO, Roland Sinker.
The first breach, which came to light recently, dates back to 2021 and involved the accidental sharing of data hidden within a pivot table in an Excel spreadsheet. This incident exposed personal details of 22,073 maternity patients from The Rosie Hospital between January 2, 2016, and December 31, 2019, including names, hospital numbers, and birth outcomes.
A similar breach occurred at the Police Service of Northern Ireland (PSNI) earlier this year, also involving data hidden by a pivot table. Following these incidents, the Information Commissioner’s Office (ICO) urged an end to the use of Excel spreadsheets for publishing FOI data and issued guidance on pivot tables.
The second breach involved a spreadsheet sent to Wilmington PLC in 2021, which inadvertently contained names, hospital numbers, and medical details of 373 cancer patients participating in clinical trials.
In response to these breaches, the Trust has conducted a comprehensive review of FOI requests handled over the past decade. While the Trust has chosen not to contact the maternity patients directly due to the sensitive nature of the information, it has reached out to the affected cancer patients.
These incidents highlight the need for stringent data protection measures and the careful handling of sensitive information, particularly when responding to FOI requests. The Trust’s transparency in acknowledging these breaches and its efforts to prevent future occurrences demonstrate a commitment to patient privacy and data security.
