Blackpool NHS staff data is left online

Gary Doherty, chief executive of Blackpool NHS Turst
Gary Doherty, chief executive of Blackpool NHS Turst
  • Thousands of staff members’ personal details – including National Insurance numbers and salaries – were accidentally published online
  • Bosses at Blackpool Teaching Hospitals NHS Foundation Trust today admitted to the massive information breach
  • Details went live on its website in March last year – and stayed there for 11 months
  • It affected more than 5,000 employees and was not spotted until January, when it was removed and the Information Commissioner notified

Health chiefs in Blackpool were today urged to launch a major investigation after thousands of staff members’ personal details – including National Insurance numbers and salaries – were accidentally published online.

Hospitals NHS Foundation Trust today admitted to the massive information breach, which saw details go live on its website in March last year – and stay there for 11 months.

It’s bad enough to have happened in the first place but for no-one to notice is unacceptable

The error, which will have affected more than 5,000 employees, was not spotted until January, when it was removed and the Information Commissioner notified.

The trust’s chief executive Gary Doherty today said every affected worker had been sent a letter, including a personal apology, and a helpline for worried staff has been set up.

And he pledged the “clearly unacceptable” breach would “never happen again”.

But the “appalling” breach has today prompted calls for a full investigation into how the mistake happened.

And one former staff member said the blunder was “unacceptable”.

Meanwhile, Paul Maynard, whose Blackpool North and Cleveleys constituency is home to Blackpool Victoria Hospital, said: “It’s appalling. If I was working there I would be quite concerned.

“Placing private information in the public domain potentially puts all staff at risk.”

Mr Maynard said he would expect to see exact information on how many people accessed the data, and suggested this should not be difficult for the Trust to ascertain. He added: “I hope the hospital looks closely at both how the information was placed in the public domain, but also why it took so long to uncover as well.

“If they found that no-one saw it then they just need to look at internal procedures but if it’s found even a handful of people did then that needs to be known. I think more information is needed.”

One former staff member, who worked for the Trust for 12 months from 2013, said: “It’s pretty sensitive information to be published. I’m very concerned that no-one realised the error for so long.

“It’s bad enough to have happened in the first place but for no-one to notice is unacceptable. If a person has disclosed personal information to the employer but not to those close to them, it could be very damaging to a person for that to be exposed.”

Keith Hudson, regional officer for Unite, said he would be working closely with union stewards within the Trust to assess the response needed. He added: “We will probably want a full inquiry on how this has happened.

“If any of our members managed to publish patient information, I’d imagine there would be an internal inquiry that would lead to a disciplinary. So we’d hope there will be a proper investigation and this is not brushed under the carpet.”

Mr Doherty added: “The Trust has written to all staff to apologise for an incident which was identified by in January which enabled personal data relating to our staff being accessible in certain circumstances on the Trust’s website.”

Staff have now been warned to be extra vigilant against bogus emails.

And bosses have moved to reassure staff that they are “not aware of any incidents which have arisen as a result of this data being published”.

Mr Doherty said the breach happened after a summary table was posted online which, if clicked, would give further personal information.

He added: “Although we fully recognise the information should not have been put on our website there was nothing to indicate the summary table had the underlying data available and we can confirm that the overall number of visitors to the reports was very limited.

“Once realising the error immediate action was taken to remove the links from the website and the incident was reported both locally and to our relevant regulatory bodies which include Monitor and the Care Quality Commission.

“We have also been in constant discussion with the Information Commissioner’s Office because of the nature of the incident and acted on all their recommendations.

“We have set up a helpline for staff, have offered to enrol all staff with a national data protection company and are taking extensive steps to ensure that this will never

happen again.”