The personal details of 305 third year medical students were accidentally exposed to their entire cohort on Monday, after a spreadsheet was mistakenly attached to an email welcoming the students into their fourth year.

All students who are set to start at the Clinical School in September had their Unique Student Numbers, date of birth, gender, CRSID and college shared, alongside their names.

Further personal details of 19 of these students were shared under a ‘notes’ section in the document, including reasons for intermission, deferral or for withdrawing from the course altogether.

A handful of these notes included private information regarding individuals’ mental health, disabilities or information on investigations into their fitness to practice as doctors.

The incident has been reported to Cambridge University and will be reported to the Information Commissioner’s Office (ICO) as a General Data Protection Regulation (GDPR) breach, according to the Clinical School.

GDPR, the legal regime protecting private data, puts a duty on organisations to report data breaches that result in “risk to people’s rights and freedoms” within 72 hours of becoming aware of the breach.

As the regulator, the ICO has the power to issue warnings, reprimands and even fines up to a maximum of €20 million or 4% of worldwide annual turnover, whichever is higher.

The spreadsheet was attached to an email sent by a course administrator, inviting students to the Clinical School remote introductory session. Within 18 minutes, a second email was sent asking students to “disregard the excel spreadsheet attached to [the] previous email”, and urged “this was not meant to be included and was attached by mistake”.

A further email was sent later on Monday, this time from the Head of Undergraduate Medical Education Section, Alison Martin, apologising for the error and “any distress caused.”

Describing the data breach as “extremely unfortunate”, Martin explained that she would be “investigating how this happened, and putting measures in place to ensure it cannot happen again.”

One third-year medical student who asked to remain anonymous said they felt “lucky” that they were not included in the group of students who saw details on their mental health shared, but described the data breach as “a huge lapse on the part of the clinical school especially given the emphasis on confidentiality in healthcare.”

“I think it also might deter people from seeking help if they’re struggling in the future for fear that the clinical school won’t adequately protect that information”, they continued.

Diana Wood, Clinical Dean of the School of Clinical Medicine also apologised on Wednesday morning, insisting “everyone in the Clinical School Deanery and Administration teams deeply regrets this occurrence” and admitting she was “acutely aware” this was “not a good way for you to be introduced to the Clinical School”.

A “full investigation has been started,” Wood explained, and students should also expect to receive a “detailed explanation and an indication of what measures have been put in place to prevent this happening again”, following this.

In response to the breach, a University of Cambridge spokesperson told Varsity “the Clinical School deeply regrets that a data breach has occurred. The very small number of students and staff concerned have been notified of the breach and steps have been taken to tighten procedures in future.”

“Students who have been personally affected and wish further discussions should contact the Director of Clinical Studies or the Clinical School Welfare Team,” they added.

Updated 17 June 2020 3.53pm: This story was updated to correct a grammatical error in the first paragraph.