Get all your news in one place.
100’s of premium titles.
One app.
Start reading
Liverpool Echo
Liverpool Echo
National
David Humphreys

New details uncovered about Liverpool hospitals data breach

The trust that manages Liverpool’s major hospitals has admitted it does not know how many people accessed a major data breach that led to the personal information of thousands of staff being emailed to hundreds of people.

It was revealed last month how in December 2022, a file was sent by email to more than 450 managers at the Liverpool University Hospital Foundation Trust (LUHFT) - which includes the Royal and Aintree hospitals - which included the personal information of thousands of staff members including names, addresses, National Insurance numbers and salaries. James Sumner, LUHFT chief executive, confirmed to a meeting of the Trust’s board that the Information Commissioner’s office had determined no further action would be taken following the breach.

In his written board report, Mr Sumner said the breach arose as a consequence of the “unintentional sharing” of personal staff information with Trust managers, via email, during a file sharing exercise that was conducted to support management of payroll details as part of arrangements around strike action. Trust staff were informed by email on February 8 of the data breach with Mr Sumner issuing letters to those impacted.

READ MORE: Live updates as armed police block street in Bootle

Now a Freedom of Information request has revealed new details about the data breach. As well as being sent to internal addresses, the FOI response from the Trust said 24 external email addresses belonging to staff members had received the data.

These emails have now been deleted from all addresses, with 275 managers confirmed to have opened the document. The Trust said in its response it is not possible to firm up how many of the recipients of the data opened the offending attachment

In his report earlier this month, Mr Sumner said the Trust undertook a full email recovery and deletion process and reported itself to the Information Commissioner. In an update from Rob Forster, chief finance officer and deputy chief executive, it was said an internal review of the data breach was “drawing towards finalisation” and would be subject to independent external assessment before its findings were released.

The FOI response said as managers, the recipients were considered “trusted partners” and the Trust had a level of assurance they would not take any further action with the information. The response added: “All employees are contractually bound and have a duty of confidentiality, with a moral and legal obligation to preserve confidentiality of sensitive information, however it is acquired.

“It is the responsibility of every employee to comply with legislation relevant to Data Protection which incorporates all areas of processing data. This includes professional codes of practice and common law duties of confidentiality.”

A Liverpool University Hospital Foundation Trust spokesperson said: “All staff were informed of these emails as part of briefing colleagues about the data breach. These are email addresses belonging to staff members.

"Each of the emails has been deleted.”

Receive newsletters with the biggest and breaking TV and showbiz news by signing up here

READ NEXT

Child killer, hitman, drug dealer - How the dark truth about Thomas Cashman was exposed

Live updates as armed police close road and helicopter circles scene

Teenager, 18, fighting for life after being hit by a bus

Man who helped Thomas Cashman as he sought to cover up Olivia's murder

Matalan's £36 co-ord in a 'gorgeous print' that gives 'summer holiday vibes'

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.