AddThis SmartLayers

Weekly exposes data breach which saw women’s medical details made public

Emily RobertsA weekly newspaper has exposed a serious data breach which led to the personal medical details of women who had experienced stillbirth being made publicly available.

Basingstoke Gazette reporter Emily Roberts, pictured, successfully took Hampshire Hospitals NHS Foundation Trust to task after discovering the data had been published online.

Details which appeared on the Trust’s website included not just the date and information around the stillbirths, but also the women’s medical history, their ages and even their BMI.

The freely available content also revealed previous miscarriages and pregnancy terminations of three women who had suffered stillbirths.

Hampshire Hospitals initially “downplayed” the incident after being alerted by the Gazette, with the paper giving the Trust a deadline to remove the data.

The Gazette ran the resulting story online after the details were removed, with the Trust only deciding to comment post-publication.

Hampshire Hospitals has now referred itself to the Information Commissioner’s Office over the incident.

Gazette editor Katie French told HTFP: “This is a textbook example of why communities need trained, professional local journalists to hold organisations to account.

“Our reporter Emily had a hunch that something didn’t feel right while looking at board reports on Hampshire Hospitals’ website.

“After challenging the Trust, the data was removed but the incident was initially downplayed.

“Without Emily’s determination and legal knowledge, this confidential and highly sensitive information would still be in the public domain.

“The Trust has now referred itself to the ICO who will be making enquiries.”

Malcolm Ace, chief financial officer for Hampshire Hospitals, told the Gazette: “The privacy of our patients is of the utmost importance to the trust and we are taking this matter very seriously.

“As senior information risk officer, I have referred this to the Information Commissioner’s Office as a potential breach of the Data Protection Act 2018 and we will act quickly on any and all recommendations given.”