New Study Shows UK NHS Data Breaches

UK Ambulances at the hospital

For so many of us, the distance we live to the nearest NHS hospital is one of the most important factors in our lives, especially for those who have underlying health conditions.

It is widely recognised that the NHS stores our personal information. This data ranges from medication, allergies, test results, and health conditions, to past and future referrals and appointments. This is stored electronically in order for the appropriate treatment to be administered when we require it. This is private, confidential, and sensitive information that should not be divulged without the prior consent of the patient.

Whilst the NHS requires this type of information to be able to protect and promote the interests of both patients and the public, this can also lead to our privacy being invaded thanks to data breaches.

What is a Data Breach?

A data breach is an incident where data is seen by an unauthorised individual or group, compromising the private nature of the information. When looking at businesses or organisations, this can be personal information from a client or customer, or internal data such as sales figures or expense sheets.

UK NHS Foundation Data Breaches

We set out to see where the largest number of data breaches were experienced in the UK, within each local NHS foundation trust. We understand that large organisations such as the NHS undertake extensive security training and follow preventative measures such as abiding by GDPR rules. But, despite this, breaches still occur, and your sensitive medical information can be compromised.

Therefore, we sent out Freedom of Information requests (FOI) to 229 NHS foundations across the UK, to question them on their data breaches over the last five financial years. Of those contacted, 152 responded.

We focused on the NHS foundations that have experienced the largest number of data breaches of their patient’s private information due to human error.

Our analysis also revealed the NHS foundations that have managed to minimise data breaches due to human error, and which places in the UK have seen the most improvement over the last five years.

Which NHS Foundation Trusts Experienced the Largest Number of Breaches?

The FOI results highlighted University Hospitals of Leicester NHS Trust as the UK’s NHS foundation that experienced the most human error-related data breaches. Since 2016, the NHS has recorded 8666 data breaches, with the years 2019 to 2020 experiencing the most, namely a total of 1999 breaches.

UK NHS Foundations with the Most Data Breaches 2016 – 2021

RankNHS FoundationTotal Data Breaches
1.University Hospitals Of Leicester NHS Trust8666
2.Nottinghamshire Healthcare NHS Foundation Trust3388
3.Sussex Community NHS Foundation Trust3310
4.Dorset Healthcare University NHS Foundation Trust3017
5.Southern Health NHS Foundation Trust2717
6.Royal Devon and Exeter NHS Foundation Trust2523
7.South Western Ambulance Service NHS Foundation Trust2458
8.Devon Partnership NHS Trust2441
9.Cumbria Northumberland Tyne and Wear NHS Foundation Trust2155
10.University Hospitals Bristol and Weston NHS Foundation Trust1800

Our FOI request revealed that Nottinghamshire Healthcare is the second-worst NHS Foundation Trust in the UK when it comes to experiencing data breaches caused by human error, recording 3388 breaches overall.

The worst year for Nottinghamshire Healthcare NHS foundation for experiencing data breaches was 2018 to 2019. In the period from 2017 to 2018, they experienced the lowest number: 626 data breaches.

Sussex Community and Dorset Healthcare University NHS Foundation Trusts were third and fourth. Our FOI results revealed they experienced 3310 and 3017 data breaches respectively.

Sussex Community NHS Foundation Trust experienced the majority of its data breaches between 2020 to 2021, recording 786. Dorset Healthcare University NHS Foundation Trust also recorded the most breaches between 2020 to 2021 at 672.

Of course, whilst not every NHS foundation recorded thousands of breaches, plenty experienced their fair share of human error, leading to private information being compromised.

Despite not having any data available for the period 2016 to 2017, Royal Devon and Exeter NHS Foundation Trust experienced 2236 breaches in just three years.

Cumbria Northumberland Tyne and Wear NHS Foundation Trust were placed in the “top” 15 NHS foundations that experienced the most data breaches caused by human error, with 2155 overall. Their worst period was from 2018 to 2020, recording 898 breaches altogether.

Which NHS Foundation Trusts Experienced the Lowest Number of Breaches?

However, not all NHS foundations have experienced the same large numbers of breaches relating to personal information caused by human error.

Norfolk and Suffolk NHS Foundation Trust had the lowest number of data breaches of all the NHS foundations that replied with data, recording only one in total between 2016 and 2021.

Following the data from Norfolk and Suffolk NHS Foundation Trust, Kent Community Health NHS Foundation Trust and Countess Of Chester Hospital NHS Foundation Trust both recorded just four data breaches since 2016.

Our FOI request results also revealed that University Hospitals Sussex NHS Foundation Trust experienced a huge change in their data breaches. They recorded only 68 instances of private data being compromised in 2016 and 2017. However, this figure has increased rapidly to 441 data breaches between 2019 and 2020, which is an increase of 548%.

UK NHS Foundation Trusts with the Least Data Breaches 2016 – 2021

RankNHS FoundationTotal Data Breaches
1.Norfolk and Suffolk NHS Foundation Trust1
2.Countess Of Chester Hospital NHS Foundation Trust4
3.Kent Community Health NHS Foundation Trust4
4.Cheshire and Wirral Partnership NHS Foundation Trust5
5.South Tyneside And Sunderland NHS Foundation Trust5
6.Hounslow and Richmond Community Healthcare NHS Trust6
7.Liverpool University Hospitals NHS Foundation Trust6
8.Tavistock and Portman NHS Foundation Trust7
9.The Royal Marsden NHS Foundation Trust7
10.University Hospitals of North Midlands8

Out of all the NHS foundation trusts that responded, there were a total of 11 NHS foundations that recorded single-digit numbers of human error-caused data breaches.

Most Improved NHS Foundations

Thankfully, many NHS foundations across the UK have controlled human error-caused data breaches.

Our FOI request results revealed that South Warwickshire NHS Foundation Trust has seen an improvement in their number of data breaches. Between 2018 to 2019, they recorded 367 instances of private data being compromised. However, this figure has steadily decreased over the following years, to 197 breaches between 2020 and 2021, a 46% decrease.

Derbyshire Community Health Services NHS Foundation Trust saw a similar trend between 2016 to 2017, as they recorded 265 breaches. However, 2020 to 2021 saw just 194 breaches recorded, which is a 27% decrease.

University Hospitals of North Midlands had a big decrease in recorded data breaches in comparison to other NHS foundation trusts and have even managed to reduce them over the years. During 2016 and 2017, they recorded just two breaches. In the period from 2020 to 2021, they only had one data breach. Pretty impressive during the start of the pandemic!

The Overall Data

The total number of NHS foundation breaches has steadily increased over the years, starting at 16,590 in 2016 to 2017 and reaching a total of 25,414 in 2020 to 2021.

The UK’s NHS foundations saw a total of 116,381 and an average of 787 human-caused data breaches compromising private information in the last five years.

So, next time you’re visiting the hospital for a routine check, or even just asking your doctor for some medical advice, be aware of who you’re sharing your data with and how it’s going to be handled.

Methodology

We submitted an FOI to all English NHS foundations and 152 NHS foundations replied. The Freedom of Information requests were sent on the 20th of August 2021.

Note: This study has been edited on the 20th of January and Coventry and Warwickshire Partnership NHS Trust has been removed from the top 10 list. We apologise for any inconvenience caused.

Cybersecurity analyst
David is a cybersecurity analyst and one of the founders of VPNoverview.com. Since 2014 he has been gaining international experience working with governments, NGOs, and the private sector as a cybersecurity and VPN expert and advisor.