An estimated 14,000 employees at a Liverpool NHS hospital trust have been informed that their data was leaked via email due to human error, according to reports.
A file containing sensitive payroll information was sent to hundreds of NHS managers and 24 external accounts, according to an apology letter to victims from trust chief executive, James Sumner, seen by the Liverpool Echo.
“The spreadsheet file included a hidden tab which contained staff personal information,” the letter read. “Whilst it was not visible to those receiving the email, it should not have been included in this spreadsheet. The information in this hidden tab included names, addresses, DOBs, NI numbers, gender, ethnicity, salary, it did not include bank account details.”
Each of the 24 external recipients have been notified and confirmed deletion of the file, Sumner reportedly added.
“The data was emailed to managers within the organization, we set about deleting the email and the data file from our systems within an hour of the error being identified and action has been taken to prevent this from happening again,” the letter continued.
“We have also commissioned an independent, external review to assist in how we establish shared learning from the experience.”
Human error of this sort is a common cause of data leaks. According to Verizon, the “error” category accounted for 13% of breaches it analyzed last year. It contributed to a massive 82% of breaches that feature the “human element.”
Christine Sabino, legal director at law firm Hayes Connor, said appropriate measures must be put in place to safeguard employee and patient data in light of the risk of human error.
“If identifying personal information is sent out to the wrong recipients, the sender is in clear violation of GDPR laws and staff may have grounds for compensation,” she added.
“Employee data breaches can hold serious consequences and, often, those affected encounter emotional distress, humiliation and victims can be put at risk financially or even lead to identity theft.”