Cambridge Hospitals Admit Two Excel-Based Data Breaches

Written by

A Cambridge NHS trust has admitted two historic data breaches, stemming from the accidental disclosure of patient data in Excel spreadsheets in response to Freedom of Information (FOI) requests.

Cambridge University Hospitals NHS Foundation Trust CEO, Roland Sinker, revealed the news yesterday, explaining that the first incident occurred in 2021 but had only “recently” come to light.

“The first case related to data provided in a FOI request via the What Do They Know website. In responding to the request, we mistakenly shared some personal data which was not immediately visible in the spreadsheet we provided but which could be accessed via a ‘pivot table’,” he explained.

“This data related to 22,073 patients booked for maternity care at The Rosie Hospital between January 2 2016 and December 31 2019. It included the names and hospital numbers of patients and their birth outcomes.”

Read more on Excel: Northern Ireland Police Officers Vulnerable After Data Leak

The way this data was leaked is almost identical to the far graver breach at the Police Service of Northern Ireland (PSNI) earlier this year. The police service also accidentally shared sensitive information with What Do They Know in response to an FOI request, with the data hidden by a pivot table.

In September, privacy regulator the Information Commissioner’s Office (ICO) called for an immediate end to the use of Excel spreadsheets to publish FOI data, and released guidance on pivot tables. This Excel function can help to summarize large data sets but might also create an automatic summary of the underlying data which is hidden from immediate view.

The breach was only alerted to the trust when admins at What Do They Know discovered it and immediately removed the information from their website.

However, that prompted a further investigation by the NHS trust of FOI requests it has handled over the past decade.

This revealed an additional incident, in 2021, in which a spreadsheet sent to Wilmington PLC accidentally contained the names, hospital numbers and some medical information on 373 cancer patients undergoing clinical trials.

Sinker said the trust has decided not to write directly to the maternity patients involved in the first breach.

“Given the sensitivity of the maternity information, we believe that some patients may wish to avoid any risk of family members finding out about a previously undisclosed pregnancy. It is also straightforward for this group of patients to identify themselves based on the date range above,” he said.

“This is not the case for the cancer patients, for whom self-identification would be less straightforward based on the same level of information, and so we have written to these patients directly.”

Image credit: Tom Gowanlock /

What’s hot on Infosecurity Magazine?