NHS South Central and West data leak

There’s been an NHS South Central and West data leak. It’s a familiar story in terms of how the leak has happened and the fact that it appears to have been very preventable.

In this latest incident, thousands of families have reportedly been sent letters encouraging the uptake of flu vaccinations for children. Unfortunately, due to a “mail merge error”, names and addresses for children were somehow mixed up. The result of this is that parents and carers have received information for other people’s children.

Another huge leak that may have been entirely preventable that took place owing to events that have taken place before. NHS data breach compensation claims are one of the most common types of cases we take forward because of how often these kinds of incidents happen, and it’s clear to us that more needs to be done to prevent them from taking place.

The NHS South Central and West data leak

The NHS South Central and West data leak is said to have affected thousands of families when letters were sent to people containing mixed-up data for children.

It’s understood that letters were sent this week to families in Bath, Berkshire, Buckinghamshire, Gloucestershire, Oxfordshire, North East Somerset and Swindon. It appears that it’s isolated to the personal data for children and that no further medical information had been exposed as well.

According to Gloucester Live, the Director of Child Health Information Service at the NHS Trust, Sue Trinder, said:

“Unfortunately, due to a mail merge error, the addresses and names of the children were mixed up resulting in households being sent an invitation for the wrong child. We would like to sincerely apologise to all parents for this error and reassure them that the letter contained no other personal information other than the name of a child.”

A preventable leak

All we know so far is that the NHS South Central and West data leak was caused by a mail merge error. The nature as to how this mail merge error has happened has not yet been revealed, but this sounds like it should have been a preventable leak.

We have been sending letters and emails to (sometimes) thousands of clients at a time as part of our group action efforts, and we use proper technology to be able to deliver the updates properly and securely. We haven’t ended up mixing up data as we have checks and systems in place to stop this kind of thing from happening. We can only assume that the NHS has – or should make use of – such technology as well.

Although it isn’t clear as to whether this has any element of human error to it, human error is one of the most common causes for leaks when it comes to letters and emails.

Prevention is key!

The NHS Trust has reportedly vowed to make sure that this doesn’t happen again. But this is a familiar statement where organisations are far too reactive as opposed to proactive.

Prevention is key. If you can stop a breach from happening, stop it before there’s a chance that it can happen. Have systems and protocols in place to prevent an incident as opposed to having to clean up the mess after it has already happened.

It’s worth remembering that the cost of such a mess can be significant. The ICO can issue heavy fines for GDPR breaches, and data breach compensation amounts for NHS cases can be substantial because medical data is some of the most personal and sensitive data that there is.

The NHS South Central and West data leak may well be one to keep an eye on so we can get a greater grasp of how it happened in the first place, and then judge how preventable it might have been.

How we assess data breach group actions

Sweaty Betty data breach