Data breach

Can you please explain to me how this has happened and who my information has been leaked to? 

As part of planning for industrial action, the Trust was required to arrange for collation of data about staff employed by LUHFT; this was to be compiled by managers onto a blank spreadsheet. This data was required to be used internally to identify which staff had not attended work and taken strike action. This data would then be used to inform payroll to deduct pay from those staff who did not attend work, were not on planned leave or sick leave and instead took part in industrial action.

The email requesting the information for payroll purposes was sent to managers employed by and who work across the Trust.

Most managers would be able to report staff absence via the Trust electronic roster system. However, not all areas are on the electronic roster system and so a manual way of recording absence had to be developed. The Trust does not have a way to do this, as standard, and so a bespoke standalone spreadsheet was developed in order for managers to input details such as assignment numbers, employee name and hours not worked.

To support managers and improve accuracy of reporting, a link to a staffing list was included in the spreadsheet as a hidden tab. However, this included personal data that was not required for this purpose, and it was not sufficiently protected.

In error, employee information was included in the spreadsheet, but the data was hidden. On opening the email, the recipient of the email would not be able to see the employee information. It was a blank spreadsheet with headings for managers to complete and input details for their team members. It is important to reiterate that the information was not leaked, as the recipients, our colleagues in a managerial role are considered “Trusted Partners”.

How did it become apparent that staff details had been shared?

It was reported on Datix by a recipient of the email which triggered further investigations to take place.

Why was all this information compiled in one database/spreadsheet in the first place?

The data was collected from the Electronic Staff Record (ESR) – the system that holds staff information for the Trust and supports employment transactions such as pay and terms & conditions. All staff groups were included within the spreadsheet in order to determine those staff working on the dates of industrial action. This enabled the Trust to have a record of which services were safely able to continue to operate.

Why has it taken ten days for the Trust to inform me that I was one of the employees affected by this data breach?

Time was spent by the Trust fact finding and gaining a detailed understanding of how this breach happened.

We informed colleagues via an all-user e-mail about the breach once the investigation had provided more detail on the circumstances involved. This was important so that we had a clearer view of the risks posed to individuals at which stage it was agreed to write to everyone affected.

Whilst we feel the breach presents a low risk to individuals, in an open culture it is important that where an error has occurred that this is communicated to those affected.

Although we understand that you may be concerned, the risk associated with this incident was assessed as low, in line with the Guide to the Notifications of Data Security and Protection Incidents produced by NHS Digital. The relevant sections are set out below in italics:

Grading a personal data breach

Any incident must be graded according to the significance of the breach and the likelihood of those serious consequences occurring. The incident must be graded according to the impact on the individual or groups of individuals and not the organisation. It is advisable that incidents are reviewed by the Data Protection Officer or Caldicott Guardian or the Senior Information Risk Owner when determining what the significance and likelihood a data breach will be.

The significance is further graded rating the incident of a scale of 1-5. 1 being the lowest and 5 the highest. The likelihood of the consequences occurring are graded on a scale of 1-5 1 being a non-occurrence and 5 indicating that it has occurred.

Factors considered to reach the conclusion that the incident was low risk included:

• The information was not leaked, the recipients, our colleagues in a managerial role are considered “Trusted Partners”. In other words, this means we had a level of assurance with the recipients, that we could reasonably expect that party not to read or access the data sent in error, and to comply with our instructions to return it. Even if the data had been accessed, we would still trust the recipient not to take any further action with it and to return or delete the data promptly and to co-operate with its recovery (see bullet points below)
• All employees are contractually bound and have a duty of confidentiality, with a moral and legal obligation to preserve confidentiality of sensitive information, however it is acquired
• It is the responsibility of all employees to comply with legislation relevant to Data Protection which incorporates all areas of processing data. This includes professional codes of practice and common law duties of confidentiality.

Based on the above, we have confidence that our colleagues within the Trust are fully aware of their responsibilities together with duty of confidentiality.

Who sent the emails? Who shared the spreadsheet? Not just the ‘sender’ but under whose instruction? Who produced the spreadsheet? Who is overall responsible for the spreadsheet being produced? Who decided it should be produced? What action has been taken with respect to the individual who made the error? Did the sender know that there was such a tab in the document? Who knew it was there and who knew it was hidden?

We understand that you are concerned following receipt of the letter, and we appreciate that this raises several questions around how this could have happened, including who is responsible.

Whilst we are unable to share details of areas of responsibility or individual staff names, the Trust has taken appropriate steps to identify how this breach occurred and appropriate action to ensure that a reoccurrence is prevented for the future such as when using sensitive data, all steps should be taken to secure the data including password protection and / or encryption

The actions identified have been taken through a consistent and constructive approach, ensuring fair evaluation of the actions of the staff involved in the incident. This is in line with our organisational values to support a culture of fairness and learning, whether the incident relates to a clinical or non-clinical error.  

Why weren’t appropriate checks done to ensure that personal details were not shared?

It was an error and because the information was hidden, this was not picked up before the email containing the workbook had been sent.

Are there such checks in place (in the form of a SOP, for example)? And if not, will a SOP (or any other formalised Trust process related document) be produced to prevent such an event recurring?

Once the error was highlighted and the Digital Services team had started to remove and delete the message, a lessons learnt process took place to understand how the error had occurred and training sessions have taken place to ensure the situation does not happen again. As the Data Protection Officer, we will be working with the service area to ensure a Standard Operating Procedure (SOP) is put in place which can be audited on an ongoing basis.

Who reported the breach? Was this incident reported on Datix?

A trusted partner, (one of the recipients) reported the breach. It was reported via the Trust’s Risk Management system (Datix).

What was the file type?

The data was extracted from the Electronic Staff Record (ESR) and collated within a Microsoft Excel spreadsheet.

This information related to 13,593 individuals who are all employees of the Trust.

The categories of data within the spreadsheet were:

• full names
• home address
• date of birth
• national insurance number
• previous last name
• gender
• salary
• mobile phone number
• job title
• location
• employment start date
• assignment number
• ethnicity

The information did not include your bank account details, details of your next of kin, your email address, any occupational health records, or any log in password details for Trust systems.

Please could I ask if sexual orientation was part of that data set?

Sexual orientation was not included in the data disclosed.

The letter references that the information was contained within a hidden tab. What exactly is a ‘hidden tab’? In what way was the tab hidden? What was the purpose of the tab being ‘hidden’? Was it password protected? Or accessible to the recipients if they chose to look for it?

A hidden tab is simply a worksheet in the excel file that is not visible.  Users of the worksheet are typically unaware of its existence and typically will not see the contents of the worksheet.  Additional steps are required to make the worksheet visible, which exposes the data.  In this specific case, the hidden worksheet contained reference data to make the data entry process in the viewable worksheet easier to complete. On this occasion, the worksheet was not password protected.

Who are the 24 parties in receipt of my personal data? Please provide ALL the names of the outside agencies the email was sent to. Were these personal email accounts, and if so, why such data was being sent to personal email account?

Although we understand that you may be concerned, the risk associated with this incident has been assessed as low.

We are unable to provide the individual names or email addresses of the recipients.

However, we can advise you that emails were distributed to 455 managers and 812 emails on our internal system. These e-mails have been deleted centrally by the Trust.

The e-mail communication included 24 external email addresses (also known as email accounts), however the email addresses belonged to employees of the Trust and not any other external organisation.

There were a small number of personal emails used, but responsibilities regarding code of confidentiality relating to patient or staff personal data still apply.

We have now had confirmation that these e-mails to external addresses have also been deleted.

From the Trust’s records, we are aware that only 275 managers opened the email which was subsequently deleted. The personal data was not visible within the file unless the individual knew there was a hidden tab and how to unhide it, so it is unlikely this was widely viewed.

However, it is not possible to confirm how many of the recipients actually opened the attachment within the email, or how many of them then may have discovered the hidden tab where the data was contained.

The recipients, our colleagues in a managerial role are considered Trusted Partners. This means we have a level of assurance that the people who received this email can be Trusted not to take any further action with the use of the information.

All employees are contractually bound and have a duty of confidentiality, with a moral and legal obligation to preserve confidentiality of sensitive information, however it is acquired.

It is the responsibility of every employee to comply with legislation relevant to Data Protection which incorporates all areas of processing data. This includes professional codes of practice and common law duties of confidentiality.

Were any generic group inboxes included in the email and if so, how many?

Generic group inboxes were not used.

How long did they have it before the breach was discovered?

The breach was reported associated with an email sent on the 20 December.

The data collection exercise using the worksheet took place between 15th December and 20th December 2022.  The incident was reported on 20th December, which triggered remediation steps.

I note that there are many external accounts, and I am unsure if the transmission was end to end encrypted to these external accounts? I am also concerned that these accounts do not belong to LUHFT employees. Can you tell me if it was a secure encrypted network? Was this email shared using "non-secure" email handlers? What actions have been taken with the managers that have received this email?  Are IT involved? Have the files now been deleted? Has the trust got it back, especially from the emails that went outside of the trust? I know that bank details were not included but how can we be assured that this information will not get any further than it has up to now? There are attempts all the time to get into NHS systems, so how do we know that this won’t be leaked in the future?

It is important to clarify that this information was not “leaked” into the public domain.

In this instance, this was an internal confidentiality breach rather than an external breach. All staff have responsibilities regarding code of confidentiality whether they use patient or staff personal data, and anyone found to have ‘leaked’ information will be investigated and actions taken. 

The vast majority of email addresses (accounts) were internal LUHFT accounts, and all accounts belonged to LUHFT employees.  In this instance the email was encrypted end to end.  

IT were involved, with collaboration between the Cyber, IG and technical teams to ensure the withdrawal of the communication, to address the source of error, and to support transparency.

Once the error was discovered, it was technically removed out of recipient’s inboxes and searches initiated across our infrastructure to identify and delete any other versions.  

There are constant attempts to access our NHS systems and the Trust has robust protection against these attacks.

Was the email recalled after being initially sent? If so for how long was the email with the recipients prior to being recalled?

Recall is not a reliable mechanism in that users can access or take a copy before accepting the recall. In addition, it would bring attention to a potential issue that was not obvious in this case. Once the error was discovered, it was technically removed out of the recipient’s inboxes within a few hours and work continued to establish if there had been any other uses or saved versions across our massive storage areas.  

What steps have been taken to rectify this mistake and to ensure staff members have permanently deleted my personal information? What is being done to ensure this does not happen again? How can you confirm the file was deleted? What evidence is there?  How can LUHFT be sure the file has been deleted by everybody?  What reassurance can LUHFT give?

Within an hour of the breach being identified, immediate action was taken by colleagues within the Trust’s Digital Team to delete the email from individual accounts.

All 812 emails from systems accessible by the Trust have been deleted. Furthermore, confirmation has been given by those 24 members of staff who received the email via external email addresses that the files are deleted.

The Trust’s Digital Team continue to monitor Trust systems to identify and delete any versions of the file that may have been saved by colleagues on their computers.

The data contained within the spreadsheet related to employees of the Trust and it was sent to colleagues in a managerial role.

Where we identified emails or files matching relevant criteria, we have logs of actions taken including deletion.  Every effort has been made to identify and delete all instances of the file across our extensive storage areas

Departmental focused training has been delivered, and a review of data use and control processes has already occurred.

The incident has been reported to the Information Commissioners Office (ICO), we have been working in line with their guidelines and we are awaiting their assessment.

Action has been taken to prevent this from happening again, including providing training and support.

I assume that the Trust, in a culture of transparency will share a copy of the review. What are the next steps you are taking to make sure I am protected? How can you ensure this won't happen again? Will those affected be included in any further communications? Including:

1. The Trust’s ‘lessons learnt review’
2. The outcome of the commissioned external review
3. Communications from the Information Commissioners Office

A Route Cause Analysis and external review is underway, a report will be published.  Staff have been informed of the risk, which has been assessed as being low.

Employee related data is primarily stored in the Electronic Staff Record national system, with elements in the eRostering, Learning & Development, IT, and security systems. 

Whilst the Trust took immediate action to reduce the potential risk to staff and reported the breach to the Information Commissioners Officer (ICO), it is possible that the ICO may wish to take further action against the Trust as a result of this breach.

The Trust will co-operate fully with the ICO to assist with their enquiries into the circumstances and the actions taken to protect your data. We will keep staff informed of the outcome of the external review and any further action considered necessary from the ICO via Staffing Briefing sessions or Chief Executive Communications.  

We continue to encourage staff to complete the mandatory Data Security Awareness training available via ESR and over the coming months will carry out a data awareness campaign to help inform and educate all colleagues on how to best protect data.

Are any of the Managers who received this file also employees and /or shareholders of any organisation external to LUHFT? Will these Managers be compelled to name any conflicts of interest they may hold with any organisation other than LUHFT?

All colleagues are required to submit an annual Declaration of Interest, if they have been identified as a ‘decision-making member of staff’ as defined by the Trust’s Managing Conflicts of Interest Policy. This includes any manager at Agenda for Change Band 8a or above together with specific other categories.

Some staff are more likely than others to have a decision-making influence because of the requirements of their role. Section 3.4.1 of the policy provides further information on how individuals are required to submit annual declarations.

We do not feel it is necessary to contact or review details on the Declaration of Interest register of those managers who received the file as a result of this breach. This is due to the managers at 8a or above already having to make declarations on an annual basis in line with policy.

Background information in relation to the breach together with details of the Trust’s communications plan were discussed and shared with Trade Union colleagues at the earliest opportunity.

A data extract of all staff was taken from the Electronic Staff Record System and included in the data collection spreadsheet. The inclusion of essential data elements to achieve the required task will feature in the report.

We apologise for any confusion that has occurred and can clarify, whilst the information was created to support the ongoing management of services during industrial action, it was not related in any way to just those individuals who were participating in industrial action.  It was intended to support managers and to ensure accuracy and data quality of reporting.

I have been receiving fraudulent phone bills for an unknown person to my address. Is this something to do with this?

No, this is not likely.  As the bills are for an unknown person at your address, the fraudsters most likely did not know who lives at your address.

Since receiving the letter, I have received excessive amounts of spam/phishing emails and have been receiving notifications of someone trying to gain access to my personal email account. Can you please advise on what I should do about this?

We can confirm that your personal email address was not shared.

Co-incidentally, this week Microsoft Outlook inboxes have been flooded with spam emails because email spam filters are currently broken. This ongoing issue was confirmed by countless Outlook users who have reported (on social media platforms and the Microsoft Community's website) that all messages were landing in their inboxes, even those that would have been previously tagged as spam and sent to the junk folder.

Please delete the unwanted emails.  Please also consider contacting your personal email provider to see if they can increase the email filtering to your email address.

I am now worried that I could end up in debt because someone had used my details to obtain goods or credit.  What could an unscrupulous individual do with this data (even though bank account details were not include) - presumably stolen identity would be a risk? Should I be informing my bank and if so, who else should I inform? Do I now need to change everything? Do I need to apply for a new National insurance number? Can you reassure me all will be, ok? Can we be given any guarantees that our data is now safe?

Your bank account details were not provided in the data extract.

If you are concerned about financial fraud, you can contact CIFAS to apply for protective registration. This means extra checks will be carried out when a financial service, such as a loan, is applied for using your address and personal details, to verify it’s you and not a fraudster.

On behalf of the Trust, we would like to offer our sincere apologies for this unintentional error and assure you that all necessary steps have been taken to endeavour to reduce the level of risk.

We have no indications from staff, or other various Cyber/Fraud sources, of any data being disclosed externally or being abused.  The Trust will investigate anyone found to have deliberately leaked information to another source.

Advice on what to look for and what to do if you think an act of identity theft has been made against you can be found on the Information Commissioner's Office website

The Trust is committed to ensuring that personal data is handled in a way that ensures appropriate security, including protection against data loss.

If you remain concerned following receipt of this response, you may contact the Information Commissioners Office (ICO) directly via:

Post:Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Web: https://ico.org.uk/concerns/

Phone: 0303 123 1113

We have approached several banks and discussed whether the information, which was shared, and has now been deleted, could be used to open a new bank account. Without exception the banks have said that more information would be required to get through their checks to set up an account.

It is worth noting that some of the information which was included within the email may already be publicly accessible, particularly for users of social media.

Please click here for ICO advice relating online safety.

Under data protection law, you are able to claim compensation where you have suffered damage as a result of a breach like this. The includes material damage, such as where you’ve lost money, or non-material damage, such as where you have suffered distress.

If you wish to make a claim you should write directly to the Legal Services Department, setting out the basis of your claim and what damage you have sustained.  You can contact the Legal Services Department via:

Post: Aintree House, Aintree University Hospital. Longmoor Lane, Liverpool, L9 7AL.