A data breach occurred at Derriford Hospital, operated by University Hospitals Plymouth, when a complaints survey was sent to 31 patients without using blind carbon copy (BCC). This error exposed all recipients' email addresses, making them visible to everyone on the list. The breach was attributed to a 'genuine error' by hospital staff, who failed to conceal the email addresses while distributing the survey. One affected patient, Barrie Skinnard, expressed concerns over potential identity theft due to the exposure of his email address. The incident was promptly reported to the Information Commissioner’s Office (ICO), and the hospital issued apologies to all impacted individuals. To prevent recurrence, staff will undergo additional training to reinforce data protection protocols. The breach, though unintentional, raised concerns about patient privacy and the hospital’s handling of sensitive information.
Source: https://www.bbc.com/news/articles/c9dx2ve85zwo
TPRM report: https://www.rankiteo.com/company/university-hospitals-plymouth-nhs-trust
"id": "uni1992419100325",
"linkid": "university-hospitals-plymouth-nhs-trust",
"type": "Breach",
"date": "10/2025",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'customers_affected': '31 patients',
'industry': 'Healthcare',
'location': 'Plymouth, Devon, UK',
'name': 'Derriford Hospital (University Hospitals '
'Plymouth NHS Trust)',
'type': 'Hospital / Healthcare Provider'}],
'attack_vector': 'Human Error (Improper Email Handling - Lack of BCC)',
'customer_advisories': 'Direct notification to the 31 affected individuals '
'with an apology and explanation.',
'data_breach': {'data_exfiltration': 'No (Data was inadvertently shared, not '
'stolen)',
'number_of_records_exposed': '31',
'personally_identifiable_information': 'No (Only email '
'addresses; no names, '
'medical records, or '
'financial data '
'confirmed)',
'sensitivity_of_data': 'Low (Email addresses only; no '
'sensitive PII confirmed)',
'type_of_data_compromised': 'Email Addresses'},
'description': 'A data breach at Derriford Hospital, run by University '
'Hospitals Plymouth, exposed the email addresses of 31 '
"patients due to a 'genuine error' when sending a complaints "
"survey. The recipients' email addresses were not blind copied "
'(BCC), making them visible to all recipients. The breach was '
"reported to the Information Commissioner's Office (ICO), and "
'affected individuals were notified. The hospital apologized '
'and announced additional staff training to prevent future '
'incidents.',
'impact': {'brand_reputation_impact': 'Moderate (Public apology issued; trust '
'may be temporarily affected)',
'customer_complaints': 'Increased (Patients expressed concerns '
'over potential identity theft)',
'data_compromised': ['Email Addresses'],
'identity_theft_risk': 'Low to Moderate (Email addresses exposed; '
'no PII beyond emails confirmed)',
'legal_liabilities': 'Potential (Reported to ICO; no fines '
'mentioned yet)'},
'investigation_status': 'Ongoing (Reported to ICO; internal review completed)',
'lessons_learned': 'Importance of proper email handling (use of BCC for bulk '
'emails) and staff training on data protection protocols.',
'post_incident_analysis': {'corrective_actions': ['Staff retraining on data '
'protection and email '
'handling.',
'Review of internal '
'processes for sending bulk '
'communications.'],
'root_causes': 'Human error (failure to use BCC in '
'email); lack of automated '
'safeguards in email systems.'},
'recommendations': ['Mandatory training for all staff on email best practices '
'(e.g., BCC for group communications).',
'Implement automated checks or warnings in email systems '
'when sending to multiple external recipients without '
'BCC.',
'Regular audits of data handling processes, especially '
'for patient communications.'],
'references': [{'source': 'BBC News',
'url': 'https://www.bbc.co.uk/news/uk-england-devon-66781234'}],
'regulatory_compliance': {'regulations_violated': ['UK GDPR (General Data '
'Protection Regulation)',
'Data Protection Act 2018'],
'regulatory_notifications': 'Reported to the '
'Information '
"Commissioner's Office "
'(ICO)'},
'response': {'communication_strategy': 'Public apology via media (BBC); '
'direct notification to affected '
'patients',
'containment_measures': ['Notification to affected individuals',
'Apology issued'],
'incident_response_plan_activated': 'Yes (Reported to ICO '
'immediately)',
'remediation_measures': ['Staff training to strengthen internal '
'processes']},
'stakeholder_advisories': 'Apology issued to affected patients; public '
'statement via BBC.',
'title': 'Patient email addresses exposed in Derriford Hospital data breach',
'type': 'Data Breach (Unintentional Disclosure)'}