Prescriptions and personal information were exposed following a data privacy failure at Airedale NHS Foundation Trust. This page explains how the Airedale NHS Foundation Trust data breach happened.
In June 2022, the Airedale NHS Foundation Trust wrote to patients to alert them to a data breach. The security failure happened when a spreadsheet was sent in error to an individual in response to a Freedom of Information request. The breach was therefore caused by human error, not a cyberattack.
The spreadsheet included prescriptions and personal information that should have been fully anonymised. Anyone who has seen this spreadsheet could have accessed and extracted highly sensitive patient data. To make matters worse, the data was publicly available for four days on the website www.whatdotheyknow.com. So, it is impossible to know who saw the data and what they might do with it.
The following data may have been accessed in the breach:
In a letter to the affected patients, the Trust admitted that the data was accessible to anyone who might have detailed Microsoft Excel skills. But while the Trust claimed that the data was “unlikely to be used for any malicious purposes”, it could not possibly know this.
Cybercriminals often use breached data to carry out phishing attacks against victims. And, due to the highly sensitive nature of the information in this case, we urged anyone affected to be vigilant.
The Trust has contacted those affected by this breach. Those affected appear to have been prescribed sleeping tablets by the Trust between 2017 and 2021 (inclusive).
Commenting on the Airedale NHS Foundation Trust, Kingsley Hayes, Head of Data & Privacy Litigation at Keller Postman UK, said:
“When it comes to non-cyber-related data breach incidents, the health sector is one of the biggest culprits. The sector holds large volumes of highly confidential information, from names, addresses and contact details, to sensitive medical records, so a breach could result in severe ramifications for those affected.
“Data protection specialists have been raising awareness of this problem for many years, and the ICO provides tailored guidance to help healthcare providers deal with special category data. So it’s disappointing, to say the least, that the Airedale NHS Foundation Trust doesn’t seem to have heeded our warnings and met its data protection obligations. The fact that the Trust sent out this information erroneously is bad enough, but that it wasn’t fully anonymised makes the situation much worse.”