Yet another UK public sector data blab, this time info of pregnant women, cancer patients

Trending 2 months ago

More than 22,000 patients of Cambridge University Hospitals NHS Foundation Trust were hit by abstracts leaks that took abode amid 2020 and 2021.

In both cases, it was an own ambition back the org handed over the abstracts itself while responding to requests fabricated beneath the Freedom of Information (FoI) Act 2000. Also in both cases, accidental advice was larboard arresting in the axis tables of Excel spreadsheets in the responses.

The majority of the patients whose abstracts was fabricated accessible (22,073) were maternology patients of The Rosie Hospital at the Addenbrooke's Hospital site. The advice appear included names, hospital numbers, and medical advice such as bearing outcomes and apperception dates.

Individuals appointed for affliction at The Rosie Hospital amid January 2, 2016, and December 31, 2019, were impacted by the response, which was acquaint to the online FoI website WhatDoTheyKnow.

The website alerted the assurance that they could see the abstracts and promptly removed the advice back it abstruse of its exposure. It was accessible on WhatDoTheyKnow amid November 18, 2020, and November 1, 2023.

NHS England's civic cybersecurity aggregation additionally helped the assurance ensure the abstracts was not accessible anywhere on the internet.

"While there is no affirmation in either case of the advice actuality accessed or aggregate above the aboriginal recipients, we admit that such errors are unacceptable accustomed our bright assignment to advance the acquaintance of accommodating information," the assurance said.

The FoI appeal itself approved advice for a cardinal of matters, including the cardinal of abundant women advised to accept a aerial or low-risk pregnancy, and questions about ante of abortive births and deaths of babies.

The assurance said already it became acquainted of the aperture it audited every FoI acknowledgment from the accomplished 10 years for agnate errors – about 8,000 responses – and begin an added case from 2021 in which the abstracts of 373 blight patients in analytic trials was exposed.

  • Greater Manchester Police ransomware advance addition archetypal audience of accumulation alternation challenges
  • Cumbrian Police accidentally broadcast all officers' capacity online
  • More UK cops' names and photos apparent in supplier breach
  • Northern Ireland badge may accept endangered its own admiral by announcement capacity online in error

Rather than accepting advice about apparent on a website like WhatDoTheyKnow, in this case the acknowledgment had been issued abreast to Wilmington PLC, a aggregation that owns brands in the publishing, information, and training sectors, absorption on compliance, legal, and healthcare.

Names, hospital numbers, and some medical advice were included in responses. The assurance has accounting to Wilmington PLC allurement for this abstracts to be deleted.

The FoI appeal approved capacity accompanying to the analysis of patients with specific types of blight aural the antecedent six months of the request's submission. 

"While there is no affirmation in either case of the advice actuality accessed or aggregate above the aboriginal recipients, we admit that such errors are unacceptable accustomed our bright assignment to advance the acquaintance of accommodating information," the assurance said in a account issued to its website.

"We appetite to apologize advisedly to our patients for the anguish and affair that this account may cause."

Special application has additionally been fabricated to the accommodation as to whether to acquaintance afflicted patients directly, the assurance confirmed.

Given that the abstracts accompanying to maternology patients additionally included advice apropos bearing outcomes, the assurance fabricated the accommodation to not acquaintance afflicted individuals anon in case they would appetite to abstain ancestors associates from acquirements about pregnancies, for example.

"It is additionally aboveboard for this accumulation of patients to analyze themselves based on the date ambit above," it said. "Therefore we accept absitively not to address anon to these patients.

"This is not the case for the blight patients, for whom self-identification would be beneath aboveboard based on the aforementioned akin of information, and so we accept accounting to these patients directly."

Any individuals who are anxious about actuality potentially afflicted can acceptance abutment via freephone or email, capacity of which can be begin on the trust's website.

"This a austere abstracts breach, which should not accept happened," said Daniel Zeichner, MP for Cambridge. "I am admiring that already they were aware, the assurance has acted apace and responsibly, in appointment with accommodating groups, and has put in abode alive measures to abutment those affected.

"Anyone anxious should acquaintance the assurance for support. There now needs to be a abounding analysis to ensure that this cannot appear again."

In response, the assurance has additionally added the analysis of its FoI process, prohibiting spreadsheet responses, and commissioned an alien analysis of the process.

The Information Commissioner's Office (ICO) has been fabricated acquainted of the incidents, and a agent told The Register that the babysitter is assessing the advice provided.

"We accept ahead issued an advising apprehension to accessible authorities calling for an actual end to the use of aboriginal antecedent Excel spreadsheets back responding about to FoI requests," the agent said. "This follows a cardinal of contempo abstracts breaches area claimed advice was aback included in spreadsheets that were aggregate as allotment of a FoI response.

"Public authorities should be putting able-bodied measures in abode to assure claimed abstracts back responding to advice acceptance requests, and to assure the bodies they serve, and their staff, that their advice is in safe hands."

As accent by the ICO, the adventure at Addenbrooke's Hospital marks the latest in a continued band of abstracts breaches at UK accessible area organizations this year.

The Police Service of Northern Ireland (PSNI) was one such example, area a spreadsheet was leaked online absolute ample capacity of all confined admiral and noncombatant staffers. The adventure sparked fears for administrator assurance due to advancing abandonment from the region's bigoted divide, admitting the Good Friday Agreement actuality active in 1998.

Norfolk and Suffolk badge armament both admitted to abstracts breaches involving spreadsheets in August, in the aforementioned anniversary Cumbria constabulary additionally accidentally leaked officers' capacity online.

Breaches at third-party suppliers were abhorrent for the abstracts leaks impacting London's Metropolitan Police and Greater Manchester Police. Officers' capacity were additionally apparent in both cases.

While not in the UK, the abstracts of admiral at the Irish National Police (An Garda Síochána) was additionally exposed afterwards a third-party architect ran its database after countersign protection. ®