Cambridge University Hospitals apologises after data breaches involving more than 22,000 maternity and cancer patients revealed
Personal details of more than 22,000 maternity and cancer patients were mistakenly published online in two data breaches, a hospital trust has announced.
Cambridge University Hospitals NHS Trust, which runs Addenbrooke’s and the Rosie, said the data included patients’ names, hospital numbers and some medical information.
The information was mistakenly published in Excel spreadsheets the hospital had released in response to Freedom of Information Act (FOI) requests in 2020 and 2021.
The hospital has apologised and said no home addresses or dates of birth were included, and it had found no evidence in either case of the information being accessed or shared any further.
The first breach, which was published on the What Do They Know website, concerned patients who were booked for maternity care at The Rosie Hospital between January 2, 2016 and December 31, 2019.
Once the breach had been detected, the hospital checked previous FOI responses and found a second breach which affected 373 cancer patients taking part in clinical trials at the hospital. On this occasion, the data had been released as part of a response to Wilmington PLC, who have confirmed that it has been deleted. In total across the two breaches, 22,446 patients have been affected.
Chief executive Roland Sinker said: “While there is no evidence in either case of the information being accessed or shared beyond the original recipients, we recognise that such errors are unacceptable given our clear duty to maintain the confidentiality of patient information.
“We want to apologise unreservedly to our patients for the worry and concern that this news may cause.”
The trust said it had given “careful consideration” when deciding whether to write to patients or not to inform them of the data breach
Mr Sinker said: “Given the sensitivity of the maternity information, we believe that some patients may wish to avoid any risk of family members finding out about a previously undisclosed pregnancy.
“It is also straightforward for this group of patients to identify themselves based on the date range above. Therefore we have decided not to write directly to these patients.”
The hospital said self-identification among the affected cancer patients would be more difficult, so letters have been sent to those people.
Daniel Zeichner, MP for Cambridge, called for a review into how the breach happened.
“I am pleased that once they were aware, the trust has acted swiftly and responsibly, in consultation with patient groups, and has put in place sensible measures to support those affected,” he said, adding: “Anyone concerned should contact the trust for support. There now needs to be a full review to ensure that this cannot happen again.”
Caroline Zwierzchowska-Dod, lead for the service user partnership group Rosie Maternity and Neonatal Voices, asked anyone with concerns to reach out.
She said: “We are pleased that robust plans have been put in place to support any service users who have been affected, both with the data implications but also with support for mental health or anxieties this news may bring.
“We encourage any women, birthing people and their families affected to reach out to the helpline if they would like to discuss the impact this has on them and their wellbeing.”
The trust has set up a dedicated freephone helpline 0808 175 6331 for any patients who are concerned their data is involved.
It has also informed the Information Commissioner’s Office about both data breaches and has taken immediate steps to “strengthen our FOI processes” to ensure that “this kind of human error” does not take place again.
Anthony Browne, MP for South Cambridgeshire, added: “It will obviously be concerning for those affected, but I am reassured that CUH has acted promptly to put measures in place to prevent this happening again. Anyone who is worried about their data should contact the hospital for further information.”