Scot NHS Trust probes email stuffup involving maternity patients' data
NHS Forth Valley is the latest health board to bungle basic email data protection principles
Security
Scot NHS Trust probes email stuffup involving maternity patients' data
NHS Forth Valley is the latest health board to bungle basic email data protection principles
A staff member sent the personal details of around 150 women who were in contact with a Scottish NHS Trust’s maternity services to their own personal email account, the Trust has revealed.
NHS Forth Valley, the health board that oversees NHS services in the region between Edinburgh and Glasgow, said it is investigating the matter and has contacted the women affected.
“An internal investigation is underway after a member of staff transferred a spreadsheet containing an extract of data from our maternity system to their personal email address,” a spokesperson said.
"While the majority of information in the spreadsheet is unidentifiable, it contained some lines of data relating to a number of women who had accessed local maternity services.
"There is no evidence that the information has been shared any wider at this stage, and the member of staff has also advised that they have now deleted the data.”
NHS Forth Valley has contacted to data subjects directly and informed a number of other relevant organizations, including the UK Information Commissioner.
A new mum who was one of the circa 150 women affected by the data mishap, told the Fakirk Herald, which first reported the story, that she was experiencing anxiety that her details were out in the public domain.
The woman reportedly was told by NHS Forth Valley that the information was transferred for analytical purposes and concerned a fully qualified, non-clinical staff member, and not a junior.
She was also informed that the data in the spreadsheet included full names, dates of birth, NHS numbers, pregnancy treatment information, and the patients’ total number of children.
NHS Forth Valley said it had made Police Scotland and the Information Commissioner’s Office aware of what happened.
The UK’s health service, for all its merits, has a far from sparkling record when it comes to email-based data breaches.
Between bungled Freedom of Information responses to the BCC function proving too difficult for staff members, the NHS and wider UK public sector have been the subject of their fair share of blunders in recent years.
Two separate Trusts – Chelsea and Westminster and NHS Highland – failed to protect HIV patients’ data when bulk-sending responses via the CC field instead of the BCC field in recent years.
Between 2020 and 2021, Cambridge University Hospitals NHS Foundation Trust was also found exposing extraneous data in spreadsheets sent as part of FoI responses.
And perhaps our favorite NHS clanger of all, the service’s Digital division, no less, exposed hundreds of email addresses via a failed BCC attempt when sending four separate emails to attendees of a cybersecurity event. ®
Originally published on The Register


