The Cambridge University Hospitals (CUH) NHS trust has recently acknowledged two historical data breaches in response to Freedom of Information (FOI) requests [2]. These breaches involved the inadvertent disclosure of patient data in Excel spreadsheets [1].


The first breach occurred in 2021 and affected 22,073 maternity patients. The compromised information included their names and hospital numbers. The second breach [1] [2], also in 2021 [1], involved the accidental sharing of names [1], hospital numbers [1] [2], and certain medical details of 373 cancer patients participating in clinical trials. Due to the sensitive nature of the information [1], the trust has chosen not to directly contact the maternity patients affected by the first breach [1]. The breaches were initially discovered by administrators at What Do They Know, prompting the NHS trust to conduct a thorough investigation into its handling of FOI requests over the past decade. Fortunately, there is no evidence to suggest that the data has been accessed by any unauthorized third parties. The trust has expressed its apologies to the affected patients and is currently in the process of reaching out to the cancer patients involved. The Information Commissioner’s Office has been duly informed of these breaches [2]. It is worth noting that similar data breaches have recently come to light in other public sector organizations.


These data breaches have undoubtedly had an impact on the affected patients, who may be understandably concerned about the security and privacy of their personal information. The trust’s decision not to directly contact the maternity patients involved in the first breach may have been made with the intention of minimizing any potential distress caused. However, it is crucial for the trust to ensure that appropriate measures are in place to prevent such breaches from occurring in the future. This incident serves as a reminder for all organizations, both within the healthcare sector and beyond, to prioritize data security and implement robust protocols to safeguard sensitive information. The trust’s prompt response, investigation [1], and communication with the affected patients demonstrate a commitment to addressing the issue and mitigating any potential harm. Moving forward, it is essential for the trust to continue monitoring and enhancing its data protection practices to maintain the trust and confidence of its patients.