This site is intended for health professionals only

GP trainees learned of employer data breach through unsolicited job offers

Hundreds of GP trainees employed by a hospital trust have been shocked to learn that their personal details were published online.

GP Dr Heather Ryan said she learned of the data breach, which the St Helens and Knowsley Teaching Hospitals NHS Trust is investigating, when she was contacted by a locum agency about a job opportunity.

It was revealed that a spreadsheet with data on Cheshire and Merseyside GP trainees, including name, date of birth, telephone number, specialty, email, electronic staff record number, address and national insurance number, had been hosted on the trust’s website and accessible via search engines.

Dr Ryan said that the ‘unsolicited email’ from the locum agency ‘did not explain how they obtained my contact details’ and that she later learned about the incident from a GP colleague in the same position.

She said: ‘He emailed us all to inform us that he’d found out that [the locum agency] had got our contact details from the public domain, because there was a spreadsheet of Cheshire and Mersey GP trainees’ contact details available online.’

St Helens and Knowsley Teaching Hospitals NHS Trust said that as soon as it was informed of the breach, ‘the data was immediately removed and an investigation commenced’.

The trust is currently investigating how this data was published online and has informed the Information Commissioner’s Office. It added that one cohort of around 500 GP trainees was affected.

Following an initial review the concluded that the ‘the risk to personal security is minimal’ from the breach.

Dr Ryan said she had been ‘really impressed’ by the response and said it was ‘to their credit’ that the Trust had acted ‘quickly’ and ‘transparently’ when it was informed of the breach.

It has also offered trainees a one-year subscription to credit agency Experian so they can be assured ‘nobody has used our data fraudulently’.

But Dr Ryan also said there could be more serious consequences of the breach than monetary fraud or unwanted approaches from recruiters.

She told Pulse: ‘While I am disappointed that my personal information was placed in the public domain, and I will probably take the trust up on their offer of a free credit check, for me it’s only been an inconvenience.

‘I can imagine that for anybody who has reason to be more cautious about personal security – such as a doctor who has had unwelcome attention from a patient, or a doctor who has recently left an abusive relationship – this is rather more serious.’

St Helens and Knowsley Teaching Hospitals NHS Trust said it ‘apologised profusely for any distress or inconvenience the issue had caused’.

A spokesperson said: ‘On Friday the 28 July the trust was made aware of a data breach relating to a particular cohort of lead employer trainees via a website hosted by an external IT supplier. The data was immediately removed and an investigation commenced.’

The trust said that the data breach has been ‘reviewed independently’ and it has been ‘assured that the risk to personal security is minimal’.

It has also informed the Information Commissioner’s Office and ‘will be providing a full report upon completion of the investigation.’