Cambridge University Hospitals Reports Patient Data Breach After Staff Access Crocodile Attack Victim’s Records
Cambridge University Hospitals (CUH) has self-reported a data breach to the UK’s Information Commissioner’s Office (ICO) after staff inappropriately accessed the medical records of a three-year-old boy injured in a crocodile attack. The incident occurred on 18 June, when the child was rushed to Addenbrooke’s Hospital following severe injuries sustained after allegedly being thrown into a crocodile enclosure at Johnsons of Old Hurst, a wildlife park in Cambridgeshire.
A CUH spokesperson confirmed that while the hospital maintains strict data protection policies, a breach had occurred. The trust, which employs 13,000 staff, emphasized that unauthorized access to patient records without clinical or operational justification results in disciplinary action, including dismissal. As part of its response, CUH has notified the ICO and issued apologies to the affected family.
The Department of Health and Social Care condemned the breach, stating that inappropriate access to health records is unacceptable and that the trust must conduct a full investigation. The department is also reviewing the incident to prevent future occurrences.
The ICO, which is assessing the report, highlighted the broader issue of unauthorized medical record access across the health sector. An ICO spokesperson stressed that patient trust depends on strict confidentiality, particularly in sensitive cases involving children. The regulator is collaborating with the National Data Guardian and NHS England to reinforce data security measures and remind organizations of their obligations.
The incident underscores ongoing challenges in healthcare data protection, with regulators and authorities treating the matter as a priority.
Source: https://www.healthcare-management.uk/trust-refers-regulator-breach
Cambridge Post Graduate Medical Centre cybersecurity rating report: https://www.rankiteo.com/company/addenbrooke's-pgmc
Cambridge University Hospitals NHS Foundation Trust cybersecurity rating report: https://www.rankiteo.com/company/cambridge-university-hospitals
Johnsons Of Old Hurst cybersecurity rating report: https://www.rankiteo.com/company/johnsons-of-old-hurst
"id": "ADDCAMJOH1782736148",
"linkid": "addenbrooke's-pgmc, cambridge-university-hospitals, johnsons-of-old-hurst",
"type": "Breach",
"date": "6/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': '1 (three-year-old patient)',
'industry': 'Healthcare',
'location': 'Cambridge, UK',
'name': 'Cambridge University Hospitals (CUH)',
'size': '13,000 staff',
'type': 'Healthcare Provider'}],
'attack_vector': 'Insider Threat',
'customer_advisories': 'Apology issued to affected family',
'data_breach': {'data_exfiltration': 'No evidence mentioned',
'number_of_records_exposed': '1',
'personally_identifiable_information': 'Yes (medical records '
'of a minor)',
'sensitivity_of_data': 'High (child patient, traumatic '
'incident)',
'type_of_data_compromised': 'Medical records (sensitive child '
'patient data)'},
'date_detected': '2024-06-18',
'description': 'Cambridge University Hospitals (CUH) has self-reported a data '
'breach to the UK’s Information Commissioner’s Office (ICO) '
'after staff inappropriately accessed the medical records of a '
'three-year-old boy injured in a crocodile attack. The '
'incident occurred on 18 June, when the child was rushed to '
'Addenbrooke’s Hospital following severe injuries sustained '
'after allegedly being thrown into a crocodile enclosure at '
'Johnsons of Old Hurst, a wildlife park in Cambridgeshire.',
'impact': {'brand_reputation_impact': 'High (public apology issued, '
'regulatory scrutiny)',
'data_compromised': 'Patient medical records',
'identity_theft_risk': 'Moderate (sensitive child patient data '
'exposed)',
'legal_liabilities': 'Potential (ICO investigation, regulatory '
'fines)',
'operational_impact': 'Disciplinary actions against staff, '
'reputational damage',
'systems_affected': 'Electronic Health Record (EHR) system'},
'investigation_status': 'Ongoing (ICO and internal investigation)',
'lessons_learned': 'Reinforcement of strict access controls and '
'confidentiality policies in healthcare, particularly for '
'sensitive cases involving minors. Need for continuous '
'staff training and monitoring of EHR access.',
'motivation': 'Curiosity / Unauthorized access without clinical justification',
'post_incident_analysis': {'corrective_actions': 'Policy reinforcement, '
'disciplinary actions, '
'regulatory collaboration, '
'potential implementation of '
'enhanced monitoring tools.',
'root_causes': 'Insufficient enforcement of access '
'controls, lack of real-time '
'monitoring for unauthorized EHR '
'access, potential gaps in staff '
'training on data protection '
'policies.'},
'recommendations': 'Implement stricter access logging and real-time '
'monitoring for unauthorized EHR access. Conduct regular '
'audits and staff training on data protection policies. '
'Collaborate with regulators to address systemic issues in '
'healthcare data security.',
'references': [{'source': 'Cambridge University Hospitals (CUH) Statement'},
{'source': 'UK Information Commissioner’s Office (ICO)'},
{'source': 'Department of Health and Social Care'}],
'regulatory_compliance': {'fines_imposed': 'Under assessment (ICO '
'investigation ongoing)',
'regulations_violated': 'UK Data Protection Act '
'2018, GDPR (Article 5: '
'Integrity and '
'Confidentiality)',
'regulatory_notifications': 'Yes (ICO, Department '
'of Health and Social '
'Care, NHS England)'},
'response': {'communication_strategy': 'Public statement, apology to family, '
'regulatory notifications',
'containment_measures': 'Disciplinary action against staff '
'(including potential dismissal)',
'incident_response_plan_activated': 'Yes (self-reported to ICO, '
'internal investigation)',
'remediation_measures': 'Full investigation, policy '
'reinforcement, apologies to affected '
'family'},
'stakeholder_advisories': 'Department of Health and Social Care, NHS England, '
'National Data Guardian',
'threat_actor': 'Hospital staff',
'title': 'Cambridge University Hospitals Reports Patient Data Breach After '
'Staff Access Crocodile Attack Victim’s Records',
'type': 'Unauthorized Access / Data Breach',
'vulnerability_exploited': 'Insufficient access controls / Policy violation'}