Nottingham hospital sends sensitive information on suicide and baby death to wrong family
A Nottingham hospital trust accidentally sent sensitive information about a suicide and baby death to the wrong family. Two families told Nottinghamshire Live they had received the personal data of complete strangers as part of their Subject Access Requests (SAR).
An SAR requires an organisation to hand over any personal information it holds about an individual. Natalie Needham, from Hucknall, was given details on the suicide of someone she knew of, as well as information about the death of another woman's baby.
Jack and Sarah Hawkins, from Nottingham, said they were "horrified" to receive data about a stranger, describing it as a "massive GDPR breach". Nottingham University Hospitals (NUH) apologised for the "mistakes".
Families wishing to contact the Nottingham Maternity Review can do so by emailing nottsreview@donnaockenden.com or by filling out an online form here
The trust, which runs the Queen's Medical Centre and City Hospital, acknowledged the data breaches and said its processes "fell short of what we would expect". Mrs Needham made the SARs in the years following the unexpected death of her baby Kouper in 2019, which she blames on hospital failings.
As well as receiving data on herself, Kouper and husband Dave, she received "highly confidential" and "sensitive" information on a total of four strangers. “I asked for minutes, emails, I wanted everything that we were named in. We were not named in them," said the 37-year-old.
"I can’t understand why. That shows the security of the information, we’ve been sent information that families have never seen. It’s really sensitive."
She said the error made her wonder whether others had seen her own information. “How many people have got information on my son? There’s information that I don’t want people to see, that people don’t need to see," she said.
Mr and Mrs Hawkins, who submitted SARs after the preventable death of their daughter Harriet in 2016, were given correspondence that related to someone with the same name, but who had no relation to them. “I was horrified. It felt really wrong to read the first line," said Mrs Hawkins.
"That’s someone else’s confidential information. We believe it’s a massive GDPR breach." Mr Hawkins added: “We don’t know if someone’s received ours, is there someone out there with worse?
“They gave us documents with an astounding amount of redaction and then send something about a stranger." Anthony May, chief executive at NUH, said: “I would like to apologise to Natalie Needham and to Jack and Sarah Hawkins for mistakes we have made with SARs. We do have processes to ensure the quality of our SARs, but these fell short of what we would expect in these cases.
“I can confirm that Natalie made us aware of being sent some records that were not hers in February 2024. We acknowledged this data breach in March 2024, apologising to Natalie about data shared with her in error.
“I recognise the importance of timely and accurate responses to these requests for the families involved in the Independent Maternity Review. I am committed to improving this area of our work and while we have made some improvements, there is more to do.
“So far, we have restructured the team and have 14 new colleagues joining us to help improve the timeliness of our responses, balancing this against ensuring quality and accuracy. The process for requesting access to health records is also under review.
“More generally we are looking at ways to improve our support for families affected by the Independent Maternity Review. I intend to bring some of this detail to our Annual Public Meeting on 18 September.”
Officials at the Information Commissioner’s Office said it didn't appear that a matching breach report had been received.
An ICO spokesperson said: “People’s medical data is highly sensitive information, not only do people expect it to be handled carefully and securely, organisations also have a responsibility under the law. When a data incident occurs, we would expect an organisation to consider whether it is appropriate to contact those affected and take steps to protect them.
"Organisations must also consider whether they need to report to us and must do this within 72 hours of becoming aware of the breach. If they decide not to report to us, a record should be kept to explain why. If anyone has concerns about how their data has been handled, they can report these concerns to us.”
NUH is subject to the largest maternity review in NHS history following hundreds of baby deaths and injuries, with almost 2,000 families' cases being included.
Families wishing to contact the review can do so by emailing nottsreview@donnaockenden.com or by filling out an online form here.
Staff can contact the review by emailing staffvoices@donnaockenden.com