MP Heidi Allen – Apparent Addenbrooke’s Health Data Breach

Heidi Allen's tweet. Image shows the MP but has computer, desk and bookshelf redacted
Redacted version of MP Heidi Allen’s Tweet

On Friday the 10th of March MP Heidi Allen (Conservative, South Cambridgeshire) visited Addenbrooke’s hospital in Cambridge to promote the the NHS Organ donation register. Allen tweeted to say she had signed up to the register herself, and she implored others to do so, writing in a tweet:

I’ve just signed up to the online organ register NHSBT CUH_NHS – it’s easy and could save someone’s life. Do it today.

The tweet in question has now been deleted. The tweet was accompanied by a picture of Allen. On a desk next to Allen was a list of what appeared to be a “clinic assignments” list with people listed by their full names, including middle names, making them individually identifiable.

It appears probable, though not certain, that Allen published sensitive personal information.

There was also a large amount of information stuck to a shelf above the computer MP Allen was sitting at including what looked like user information, and perhaps PIN numbers.

I have spotted recently that Cambridge Universities Hospital Trust describes some data protection breaches as major incidents, listing them alongside clinical incidents which have caused serious harm and deaths in reports to the trust’s Board and Council of Governors.

Recent incidents:

  • Patient information was found by a visitor in a main corridor of the hospital. (Reported in March 2017)
  • Patient information found by a visitor in the car park in the back pocket of a wheelchair. (Reported in February 2017)
  • Three patients received other patients discharge papers with their discharge documentation and a clinical letter was sent to the wrong patient (Reported in November 2016)
  • A patient undergoing a scan was given the wrong notes; Patient’s handheld notes included 3 documents relating to another patient and two patients were sent each other’s clinic letters in error (Reported in September 2016)
  • Discharge letter given to wrong patient in Radiology Day Unit; Patient given another patient’s post natal discharge summary; Patient’s discharge papers contained another patient’s personal identifiable data (Reported in July 2016)

My view

I think the serious incidents which cause physical harm are much more significant than the data loss occurrences being reported. I think it is inappropriate to be giving them equivalent status.

I think it’s vital that people can obtain health care in confidence; and feel that trust is being eroded through the greater sharing of medical records and the spectre of medical records being used for an ever increasing range of purposes by the state.

I would like to see individuals given more control over their own health records.

I have previously questioned apparent inconsistencies in privacy when accessing NHS services. Why can you access a sexual health clinic without giving your real name, and without having to have information shared with a GP, but you can’t get that level of anonymity and privacy in respect of other health matters, such as mental health?

My actions

I was informed of the apparent incident at 19.13 on Friday evening. I tried to contact Heidi Allen immediately, leaving a message on her voicemail/answerphone (I was unable to send a Twitter DM as her DMs are not open to all). I also contacted the on-duty reporter at the Cambridge News and someone else who thought would be able to directly and rapidly contact Heidi Allen.

The tweet was deleted at some point on Saturday and I published this article late on Monday night.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.