The trust that manages Liverpool’s major hospitals has admitted it does not know how many people accessed a major data breach that led to the personal information of thousands of staff being emailed to hundreds of people.
It was revealed last month how in December 2022, a file was sent by email to more than 450 managers at the Liverpool University Hospital Foundation Trust (LUHFT) - which includes the Royal and Aintree hospitals - which included the personal information of thousands of staff members including names, addresses, National Insurance numbers and salaries. James Sumner, LUHFT chief executive, confirmed to a meeting of the Trust’s board that the Information Commissioner’s office had determined no further action would be taken following the breach.
In his written board report, Mr Sumner said the breach arose as a consequence of the “unintentional sharing” of personal staff information with Trust managers, via email, during a file sharing exercise that was conducted to support management of payroll details as part of arrangements around strike action. Trust staff were informed by email on February 8 of the data breach with Mr Sumner issuing letters to those impacted.
READ MORE: Live updates as armed police block street in Bootle
Now a Freedom of Information request has revealed new details about the data breach. As well as being sent to internal addresses, the FOI response from the Trust said 24 external email addresses belonging to staff members had received the data.
These emails have now been deleted from all addresses, with 275 managers confirmed to have opened the document. The Trust said in its response it is not possible to firm up how many of the recipients of the data opened the offending attachment
In his report earlier this month, Mr Sumner said the Trust undertook a full email recovery and deletion process and reported itself to the Information Commissioner. In an update from Rob Forster, chief finance officer and deputy chief executive, it was said an internal review of the data breach was “drawing towards finalisation” and would be subject to independent external assessment before its findings were released.
The FOI response said as managers, the recipients were considered “trusted partners” and the Trust had a level of assurance they would not take any further action with the information. The response added: “All employees are contractually bound and have a duty of confidentiality, with a moral and legal obligation to preserve confidentiality of sensitive information, however it is acquired.
“It is the responsibility of every employee to comply with legislation relevant to Data Protection which incorporates all areas of processing data. This includes professional codes of practice and common law duties of confidentiality.”
A Liverpool University Hospital Foundation Trust spokesperson said: “All staff were informed of these emails as part of briefing colleagues about the data breach. These are email addresses belonging to staff members.
"Each of the emails has been deleted.”
Receive newsletters with the biggest and breaking TV and showbiz news by signing up here
READ NEXT
Child killer, hitman, drug dealer - How the dark truth about Thomas Cashman was exposed
Live updates as armed police close road and helicopter circles scene
Teenager, 18, fighting for life after being hit by a bus
Man who helped Thomas Cashman as he sought to cover up Olivia's murder
Matalan's £36 co-ord in a 'gorgeous print' that gives 'summer holiday vibes'