Data breach by Addenbrooke's Hospital reveals patient information

A hospital trust has apologised after the private information of more than 22,000 patients was released in two data breaches.

The leaks, in 2020 and 2021, concerned maternity and cancer patients at Addenbrooke's Hospital, Cambridge.

Roland Sinker, chief executive of Cambridge University Hospitals NHS Foundation Trust said the breaches had "only recently come to light".

The details shared included names, hospital numbers and some medical data.

The trust said no home addresses or dates of birth were included, adding: "We have found no evidence in either case of the information being accessed or shared any further."

"I want to apologise to all of our patients for two data breaches, which happened in 2020 and 2021, and which have recently come to light," Mr Sinker said.

"Both were the result of mistakenly including patient information in Excel spreadsheets in response to Freedom of Information Act (FOI) requests."

The first case related to data provided about maternity patients in a FOI request via the What Do They Know website.

The website group alerted the trust to the breach and removed the information from their own website, said Mr Sinker.

In a statement, Mr Sinker explained: "In responding to the request, we mistakenly shared some personal data which was not immediately visible in the spreadsheet we provided but which could be accessed via a 'pivot table'.

"This data related to 22,073 patients booked for maternity care at The Rosie Hospital between 2 January 2016 and 31 December 2019.

"It included the names and hospital numbers of patients and their birth outcomes."

Following discovery of the breach, the trust said it undertook a review of all the FOI requests (some 8,000) it had responded to in the past 10 years.

"In doing this, we discovered one further case where patient data was mistakenly contained in a spreadsheet sent in 2021 as part of a FOI response to Wilmington PLC.

"We have requested confirmation from Wilmington PLC that it has been deleted."

That data related to 373 cancer patients on clinical trials and included their names, hospital numbers and some medical information, he said.

"While there is no evidence in either case of the information being accessed or shared beyond the original recipients, we recognise that such errors are unacceptable given our clear duty to maintain the confidentiality of patient information," Mr Sinker added.

"We want to apologise unreservedly to our patients for the worry and concern that this news may cause."