Yet another UK public sector data blab, this time info of pregnant women, cancer patients More than 22,000 patients of Cambridge University Hospitals NHS Foundation Trust were hit by data leaks that took place between 2020 and 2021. In both cases, it was an own goal when the org handed over the data itself while responding to requests made under the Freedom of Information (FoI) Act 2000. Also in both cases, …
"The most basic principle of data sharing is extract the data requested and provide only that."
Nope: Extract only what is needed, as long as it's not possible to identify the patient from it. So no name (first or last), date of birth (rough age was okay), full postcode (first part might be okay), NHS number (big no-no!) or hospital number. And that's BEFORE you transform the data, so it shouldn't be in the data source for the pivot. In fact, in this instance only the output from the pivot should have been sent - copy and pasted from spreadsheet 1 into spreadsheet 2.
That's the rule I worked to when I was working in a hospital, and I believe that's still the principle now.
What happened here was a breach of GDPR, and Caldecott - the latter being the governance for medical data. If heads didn't roll, then the Caldecott guardian for the trust needs to be fired, too.
"What happened here was a breach of GDPR, and Caldecott - the latter being the governance for medical data. If heads didn't roll, then the Caldecott guardian for the trust needs to be fired, too."
Agree, but who gets the chop?
Reading between the lines, the specific information requested was found using a pivot table, fine; the original worksheet was deleted, so far so good; but the analyst didn't realize there was a copy of the data in the pivot cache, fail. Since the audit found only 2 incidents out of 8000 requests, we can assume there is a written procedure that works, _when followed_.
If the analyst was inexperienced then there should have been more careful oversight which is a management error. If the analyst was experienced then not following the procedure is on them.
@Anonymous Coward Strange? “You report on data breaches quite often, but you've missed the New Zealand Te Whatu Ora one where 4million vaccine records have been leaked. Strange that.”
Not leaked, BZ Health refused to release the information so Barry Young took it upon himself to do so. The information being the number of vaccine-related deaths. Already the pharma-industrial-complex is acting to discredit him.
Statistician arrested after deep dive into deaths after 'specific Covid vaccine batches'
“Te Whatu Ora found out about the breach on Thursday morning through an email the individual had sent.”
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
