Nearly 14,000 staff at Liverpool University Hospital Foundation Trust (LUHFT) had their personal information, including salaries, accidentally sent by email to hundreds of people.
The personal information included names, addresses, National Insurance numbers and salaries and was sent to multiple managers at LUHFT, which includes the Royal and Aintree hospitals, the Liverpool Echo reports.
The file included a hidden tab with the private information of thousands of staff members according to the Echo and has now been reported to the Information Commissioner.
Staff received an email notifying them of the breach – seen by the Liverpool Echo – from trust chief executive James Sumner, who apologised for the error.
He said: “I am sorry to inform you that there has been an unintentional sharing of staff personal information.
“A file was sent by email to a number of managers within LUHFT to support the ongoing management of payroll details as part of the industrial action arrangements.
“The spreadsheet file included a hidden tab which contained staff personal information. Whilst it was not visible to those receiving the email, it should not have been included in the spreadsheet.
“The information in this hidden tab included names, addresses, DOBs, NI numbers, gender, ethnicity, salary, it did not include bank account details.”
Sumner added that “the inclusion of this information was a mistake, and we are truly sorry that this has happened and for any concern this may cause” before confirming that the recovery and deletion process of the file is now complete.
The Liverpool Echo report that the trust CEO added, in his email to staff, that letters will be sent to every individual who had their data shared in the file.
In an official statement, Sumner said: “ We have apologised to our colleagues for this error and are providing them with the full information and support they need.
“The data was emailed to managers within the organisation, we set about deleting the email and the data file from our systems within an hour of the error being identified and action has been taken to prevent this from happening again.
“We have also commissioned an independent, external review to assist in how we establish shared learning from the experience. I want to reassure our patients and the communities we serve that we follow all the rules to protect their information and we take data security extremely seriously,” he added.
“We have reported this incident to the necessary authorities and will work with the Information Commissioners Office to implement recommendations from their review.”
This is not the first case of a data breach involving personally identifiable data being mistakenly shared. Back in 2020, Public Health Wales confirmed that personal data of over 18,00 Welsh residents who tested positive for Covid-19 was uploaded by mistake to a public server.