CUH Logo

Mobile menu open

Statement from Roland Sinker, Chief Executive, Cambridge University Hospitals NHS Foundation Trust

06 Dec 2023 8 min read

I want to apologise to all of our patients for two data breaches, which happened in 2020 and 2021, and which have recently come to light.

Both were the result of mistakenly including patient information in Excel spreadsheets in response to Freedom of Information Act (FOI) requests. The information included the patients’ names, hospital numbers and some medical information.

No home addresses or dates of birth were included, and we have found no evidence in either case of the information being accessed or shared any further.

The first case related to data provided in a FOI request via the What Do They Know website. In responding to the request, we mistakenly shared some personal data which was not immediately visible in the spreadsheet we provided but which could be accessed via a ‘pivot table’.

This data related to 22,073 patients booked for maternity care at The Rosie Hospital between 2 January 2016 and 31 December 2019. It included the names and hospital numbers of patients and their birth outcomes.

(Please see the FAQs at the bottom of the statement for what data has been shared.)

The What Do They Know website group alerted the Trust to the breach and promptly removed the information from their own website.

Following discovery of this data breach, we proactively undertook a review of all the FOI requests (around 8,000) we have responded to in the past 10 years. In doing this, we discovered one further case where patient data was mistakenly contained in a spreadsheet sent in 2021 as part of a FOI response to Wilmington PLC. We have requested confirmation from Wilmington PLC that it has been deleted.

This data related to 373 cancer patients on clinical trials and included their names, hospital numbers and some medical information.

While there is no evidence in either case of the information being accessed or shared beyond the original recipients, we recognise that such errors are unacceptable given our clear duty to maintain the confidentiality of patient information.

We want to apologise unreservedly to our patients for the worry and concern that this news may cause.

We have given careful consideration to the benefits and risks of writing to the patients affected. Given the sensitivity of the maternity information, we believe that some patients may wish to avoid any risk of family members finding out about a previously undisclosed pregnancy. It is also straightforward for this group of patients to identify themselves based on the date range above. Therefore we have decided not to write directly to these patients.

This is not the case for the cancer patients, for whom self-identification would be less straightforward based on the same level of information, and so we have written to these patients directly.

We have set up a dedicated freephone helpline 0808 175 6331 (10.00am to 4pm Monday to Friday) so that any patients who are concerned their data is involved can speak to us if they wish to. Patients can also email our data helpline and we will respond as quickly as we can.

We have informed the Information Commissioner’s Office about both data breaches and have taken immediate steps to strengthen our FOI processes to ensure that this kind of human error does not take place again.

There is more information in our Frequently Asked Questions.

Caroline Zwierzchowska-Dod, Lead for the service user partnership group Rosie Maternity and Neonatal Voices said: “We have been happy to support the hospital with their planning to mitigate the impact of the data breach. We are pleased that robust plans have been put in place to support any service users who have been affected, both with the data implications but also with support for mental health or anxieties this news may bring. We encourage any women, birthing people and their families affected to reach out to the helpline if they would like to discuss the impact this has on them and their wellbeing.”

Anthony Browne, MP for South Cambridgeshire said: “It will obviously be concerning for those affected, but I am reassured that CUH has acted promptly to put measures in place to prevent this happening again. Anyone who is worried about their data should contact the hospital for further information.”

Daniel Zeichner, MP for Cambridge, said: “This a serious data breach, which should not have happened. I am pleased that once they were aware, the Trust has acted swiftly and responsibly, in consultation with patient groups, and has put in place sensible measures to support those affected. Anyone concerned should contact the Trust for support. There now needs to be a full review to ensure that this cannot happen again.”

Frequently asked questions

What was the maternity FOI request?

The FOI request relating to maternity from 2020 was:

1) How many pregnant women receiving antenatal care by your trust were rated/considered to have

a) a low risk pregnancy (- or whatever the equivalent term is your trust uses to describe an uncomplicated pregnancy)

b) a high risk pregnancy ( - or whatever the equivalent term is your trust uses to describe a complicated pregnancy)

in 2016, 2017, 2018 and 2019, and how many of these women were first time mothers-to-be? Please provide numbers as well as percentages for women in each category.

2) How many women of the women who were considered/rated

a) low risk
b) high risk

went on to delivery their baby/babies prematurely in 2016, 2017, 2018 and 2019, and how many of these babies died?

3) How many of the women considered/rated low risk (or whatever the equivant term is your trust uses to describe an uncomplicated pregnancy) who were exclusively cared for by midwives and/or sonographers during the antenatal care they received by your trust, without receiving care from specialist obstetrics until they presented in labour, went on to deliver prematurely in 2016, 2017, 2018 and 2019?

4) How many pregnant women receiving antenatal care by your trust were cared for by midwives and/or sonographers only initially and were subsequently referred to obstetric specialists before they went into labour in 2016, 2017, 2018 and 2019?

If your hospital trust is responsible for the management of several maternity units, please provide numbers for all of them.

What was the cancer FOI request?

The FOI request relating to cancer from 2021 was:

Q1. Does your trust treat the following conditions?

  • Advanced oesophageal cancer
  • Advanced gastric cancer
  • In case you do not treat either of the above conditions, which other trust do you refer these patients to?

Q2. Please provide the total number of patients treated in the last 6 months for

  • Oesophageal cancer (any type)
  • Oesophageal adenocarcinoma
  • Oesophageal squamous cell carcinoma
  • Unresectable oesophageal squamous cell carcinoma
  • Gastric cancer (any type)

Q3. For oesophageal squamous cell carcinoma only, how many patients were treated in the past 6 months with:

  • Platinum and Fluoropyrimidene based combination treatments (Cisplatin or Oxaliplatin with 5-Fluorouracil or Capecitabine)
  • Any other systemic anti-cancer therapy
  • Palliative care only

Q4. For gastric cancer only, how many patients were treated in the past 6 months with:

  • CapeOx (Capecitabine with Oxaliplatin)
  • FOLFOX (Folinic acid, Fluorouracil and Oxaliplatin)
  • Any other systemic anti-cancer therapy
  • Palliative care only

Q5. Does your trust participate in any ongoing clinical trials for the treatment of oesophageal cancer? If so, can you please provide the name of each trial and the number of patients taking part.

Q6. Does your trust participate in any ongoing clinical trials for the treatment of gastric cancer? If so, can you please provide the name of each trial and the number of patients taking part.

Is the data still out there?

The spreadsheet in the first data breach was immediately removed from the What Do They Know website upon discovery. We have worked with NHS England’s national cyber security team to ensure there are no traces of it anywhere on the web. The work to date has not identified any copies being available anywhere else. We also have no evidence at this point that the data has been copied.

The spreadsheet in the second data breach was mistakenly sent to the requester of the information at Wilmington PLC. It was never available publicly and we have requested confirmation from Wilmington PLC that it has been deleted.

While there is no evidence in either case of the information being accessed or shared beyond the original recipients, we recognise that such errors are unacceptable given our clear duty to maintain the confidentiality of patient information.

What is a pivot table?

A pivot table is a way of analysing data in an Excel spreadsheet. It can summarise and sort large amounts of data to make it easier for analysis. Excel actually stores the underlying data it uses to generate the Pivot table in the background and because of this, data may not be immediately visible when the Excel spreadsheet is opened. It is only by double clicking on a field within the Pivot table that you can access the underlying data.

Exactly what data has been made public?

The data which was mistakenly included in the spreadsheet sent to the What Do They Know (WDTK) website included:

  • The patient’s full name
  • Hospital number
  • Conception date
  • The date when their pregnancy was booked in at CUH
  • The outcome of that pregnancy
  • The gestational age of the baby.

The data in relation to the second spreadsheet sent to a recipient at Wilmington PLC included:

  • The patient’s full name
  • Hospital number
  • Details of symptoms and conditions that occurred during the patient's participation in a clinical trial that were recorded as part of the standard practice of safety monitoring in clinical trials. Examples include headaches and infections.
How long was the maternity information on the What Do They Know (WDTK) website for?

The information was available on the WDTK website between 18th November 2020 and 1st November 2023. It was taken down from the WDTK website on 1st November 2023.

What do I need to do?

We apologise unreservedly to our patients for these errors.

The spreadsheet in the first data breach has been removed from the What Do They Know website and we have worked with NHS England’s national cyber security team to ensure there are no traces of it anywhere on the web. The work to date has not identified any copies being available anywhere else.

The spreadsheet in the second data breach was never available publicly and we have requested confirmation from Wilmington PLC that it has been deleted.

We have set up a dedicated freephone helpline 0808 175 6331 (10.00am to 4pm Monday to Friday) so that any patients who are concerned their data is involved can speak to us if they wish to. Patients can also email our data helpline and we will respond as quickly as we can.

Are my hospital records safe?

Yes. The personal data in these two data breaches was mistakenly contained in Excel spreadsheets which were released by the Trust in error as part of responses to two Freedom of Information (FOI) requests. They are not connected to any patient records.

All hospital records are contained in our electronic patient record system, provided by Epic. This is a fully secure patient record system.

What actions have you taken?

As soon as we were made aware of the data breaches, we took immediate action.

This included:

  • Ensuring the spreadsheet was removed from the What Do They Know website.
  • Working with the NHS England national cyber security team to ensure this spreadsheet cannot be traced anywhere on the web.
  • We have requested confirmation that the spreadsheet sent to the requester at Wilmington PLC has been deleted.
  • Putting in place a helpline for patients to contact us if they have any questions or concerns.
  • Putting in place enhanced scrutiny around our FOI process, with no spreadsheets leaving the organisation through FOI.
  • Reviewing every FOI request responded to by CUH since 2013 (in accordance with our records retention policy, the Trust no longer holds records of FOI responses prior to 2013). This is how we identified the second data breach.
  • Commissioning an external review of our FOI process.
  • Notifying the Information Commission’s Office. We have also briefed NHS England and the Care Quality Commission.
Why have you not written to every patient?

We have given careful consideration to the benefits and risks of writing to the patients impacted.

Given the sensitivity of the maternity information, we believe that some patients may wish to avoid any risk of family members finding out about a previously undisclosed pregnancy. It is also straightforward for this group of patients to identify themselves based on the date range above. Therefore we have decided not to write directly to these patients.

This is not the case for the cancer patients, for whom self-identification would be less straightforward based on the same level of information, and so we have written to these patients directly.

We have set up a dedicated freephone helpline 0808 175 6331 (10.00am to 4pm Monday to Friday) so that any patients who are concerned their data is involved can speak to us if they wish to. Patients can also email our data helpline and we will respond as quickly as we can.

How can you reassure me that this won’t happen again?

Both data breaches were the result of human error in responding to a FOI request.

We have taken immediate steps to put in place a more rigorous system around our FOI processes to reduce the likelihood of human error occurring in the future. This includes ensuring no spreadsheets leave the organisation through FOI responses.

Last updated: 1.19pm, 11 December 2023

This document was correct at the time of printing - 17-11-2024 18:19