Cambridge University Hospitals (CUH) has apologised for a huge data leak which revealed information about 22,446 patients.

On two separate occasions, in 2020 and 2021, CUH accidentally disclosed patients’ sensitive information as it sought to fulfil Freedom of Information (FOI) requests, Cambridgeshire Live has reported.

The data concerned belonged to patients in maternity care and cancer patients participating in clinical trials, affecting over 20,000 patients.

In a table sent in response to FOI requests, CUH included information related to 22,073 maternity patients, who were treated at the hospitals from 2016 to the end of 2019. Among the information included were patients’ names and hospital numbers. Patients’ addresses and birthdates were not included.

What Do They Know, the site which processed the FOI requests, informed CUH of the leak and removed the information from its site. Following this, CUH reviewed 8,000 FOI requests it had received in the ten years leading to the breach.

In the course of this review, it was discovered that patients’ private data had also been disclosed during another FOI request from a different organisation, Wilmington PLC.

This time, the breach concerned cancer patients’ data, including names, hospital numbers, and “some medical information”. CUH asked Wilmington PLC to delete the information.

Ronald Sinker, chief executive for Cambridge University Hospitals NHS Foundation Trust, said: “I want to apologise to all of our patients for two data breaches.”

“While there is no evidence in either case of the information being accessed or shared beyond the original recipients, we recognise that such errors are unacceptable given our clear duty to maintain the confidentiality of patient information,” he added.

Discussing the Trust’s dilemma over whether to contact patients about the breach or not, Sinker said: “We have given careful consideration to the benefits and risks of writing to the patients affected.”

“Given the sensitivity of the maternity information, we believe that some patients may wish to avoid any risk of family members finding out about a previously undisclosed pregnancy,” he continued. As a result, CUH did not contact the maternity patients.

The cancer patients, however, were contacted, with Sinker explaining: “This is not the case for the cancer patients, for whom self-identification would be less straightforward based on the same level of information.”

A helpline has been set up for patients who are concerned their data has been shared. The trust has also informed the Information Commissioner’s Office about both data breaches.

Anthony Browne, MP for South Cambridgeshire, said: “[The breach] will obviously be concerning for those affected, but I am reassured that CUH has acted promptly to put measures in place to prevent this happening again. Anyone who is worried about their data should contact the hospital for further information.”

MP for Cambridge Daniel Zeichner also commented: “This a serious data breach, which should not have happened. I am pleased that once they were aware, the Trust has acted swiftly and responsibly, in consultation with patient groups, and has put in place sensible measures to support those affected.”

“Anyone concerned should contact the Trust for support. There now needs to be a full review to ensure that this cannot happen again,” he said.