More than 22,000 patients of Cambridge University Hospitals NHS Foundation Trust were hit by data leaks that took place between 2020 and 2021.
In both cases, it was an own goal when the org handed over the data itself while responding to requests made under the Freedom of Information Act 2000.
Also in both cases, extraneous information was left visible in the pivot tables of Excel spreadsheets in the responses.
The majority of the patients whose data was made public were maternity patients of The Rosie Hospital at the Addenbrooke's Hospital site.
The information revealed included names, hospital numbers, and medical information such as birth outcomes and conception dates.
The website alerted the trust that they could see the data and promptly removed the information when it learned of its exposure.
NHS England's national cybersecurity team also helped the trust ensure the data was not available anywhere on the internet.
The FoI request itself sought information for a number of matters, including the number of pregnant women considered to have a high or low-risk pregnancy, and questions around rates of premature births and deaths of babies.
The trust said once it became aware of the breach it audited every FoI response from the past 10 years for similar errors - around 8,000 responses - and found an additional case from 2021 in which the data of 373 cancer patients in clinical trials was exposed.
Rather than having information publicly exposed on a website like WhatDoTheyKnow, in this case the response had been issued privately to Wilmington PLC, a company that owns brands in the publishing, information, and training sectors, focusing on compliance, legal, and healthcare.
Names, hospital numbers, and some medical information were included in responses.
The trust has written to Wilmington PLC asking for this data to be deleted.
The FoI request sought details related to the treatment of patients with specific types of cancer within the previous six months of the request's submission.
Special consideration has also been made to the decision as to whether to contact affected patients directly, the trust confirmed.
Given that the data related to maternity patients also included information regarding birth outcomes, the trust made the decision to not contact affected individuals directly in case they would want to avoid family members from learning about pregnancies, for example.
The Information Commissioner's Office has been made aware of the incidents, and a spokesperson told The Register that the watchdog is assessing the information provided.
As highlighted by the ICO, the incident at Addenbrooke's Hospital marks the latest in a long line of data breaches at UK public sector organizations this year.
Norfolk and Suffolk police forces both admitted to data breaches involving spreadsheets in August, in the same week Cumbria constabulary also unwittingly leaked officers' details online.
Breaches at third-party suppliers were blamed for the data leaks impacting London's Metropolitan Police and Greater Manchester Police.
While not in the UK, the data of officers at the Irish National Police was also exposed after a third-party contractor ran its database without password protection.
This Cyber News was published on go.theregister.com. Publication date: Thu, 07 Dec 2023 13:43:04 +0000