‘Ignorant’ NHS trust fined £185,000 for leaking thousands of staff details online

ICO blasts Blackpool NHS Trust after it publishes workers' data in Excel spreadsheets

Hospital IT

An NHS trust that accidentally published thousands of workers' personal data online failed to notice their mistake for 10 months then kept silent about the error for another five months.

The Information Commissioner's Office (ICO) fined Blackpool Teaching Hospitals NHS Foundation Trust 185,000 for the data breach, and blasted the trust's handling of the leak.

Stephen Eckersley, the data watchdog's head of enforcement, said: "This trust played fast and loose with the highly sensitive and private information that was entrusted to them. It seems they ignored their duty to put rules in place to protect staff who deliver hospital services to others."

A total 6,574 staff voluntarily gave the trust their National Insurance numbers, dates of birth, religious beliefs and sexual orientation as part of its commitment to publish equality and diversity metrics each year.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

But after publishing the statistics in March 2014, the trust took 10 months to notice that the workers' personal data became viewable when users double-clicked on the spreadsheets.

It then failed to tell any of the affected workers about the breach for another five months.

"Any measures taken to protect this information from reaching the public domain were woefully inadequate or non-existent," said the ICO's Eckersley. "The fact that the error went unnoticed for so long beggars belief.

"There was a need for robust measures to safeguard against this kind of disclosure. I can see no good reason for that not happening and that is why we have taken action."

He pointed to an ICO blog designed to help organisations be aware of the data leak risks associated with various document formats.

Blackpool Teaching Hospitals Trust is not the first to publish hidden data both Torbay NHS Trust and Islington Council have both made similar errors.

Advertisement - Article continues below

The trust's interim CEO, Wendy Swift, said it has implemented measures following an internal investigation to ensure the mistake cannot be repeated.

She added: "The trust has sincerely apologised to its staff for the error. Upon discovery of the error immediate action was taken to disable the links from the reports on our website.

"The incident, which related to staff data only, was reported both locally and to our relevant regulatory bodies, which include Monitor and the CQC, as well as the Information Commissioner's Office (ICO). We liaised with the ICO throughout the investigation.

"Once the results of the investigation were known we wrote to every member of staff to inform them of the incident and offer support and guidance if they had any concerns.

"On behalf of the Trust Board of Directors, I would like to apologise once again for any worry or concern this incident may have caused staff. Action has been taken to ensure this will never happen again."

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Recommended

Visit/data-insights/data-management/354423/eu-us-data-transfer-tools-used-by-facebook-ruled-legal
data management

EU-US data transfer tools used by Facebook ruled legal

19 Dec 2019
Visit/security/ddos/28039/how-to-protect-against-a-ddos-attack
Security

How to protect against a DDoS attack

25 Oct 2019
Visit/data-breaches/29418/equifax-data-breach-cost-14-billion-so-far/page/0/1
data breaches

Ex-Equifax CIO to serve four months for insider trading

2 Jul 2019
Visit/data-breaches/29418/equifax-data-breach-cost-14-billion-so-far
data breaches

Ex-Equifax CIO to serve four months for insider trading

2 Jul 2019

Most Popular

Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/hardware/laptops/354533/dell-xps-13-new-9300-hands-on-review-chasing-perfection
Laptops

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020