Not again…sensitive health data on university staff member emailed to hundreds of students
The University of East Anglia (UEA) is once again at the centre of a data breach blunder after an email containing sensitive health information about a member of staff was mistakenly emailed to 300 students.
The email containing the sensitive information was reportedly sent out on Sunday afternoon (5 November) to students, and happened because the sender accidentally used an email distribution list.
This was the same fault that caused an embarrassing data breach in June this year, when extremely sensitive student data was leaked to hundreds of undergraduates.
The email in this latest data breach was sent to around 300 postgraduate research students in the social science faculty, one of the UEA’s four teaching departments, according to the Eastern Daily Press (EDP).
It cited the the breach as being down to the accidental use of an email distribution list, and the UEA sent a subsequent email to all recipients informing them that the university’s IT department had “remotely extracted the message from all recipients’ accounts.”
“It’s happened again, and the manner of the breach was the same – they haven’t locked down the distribution lists,” an associate tutor at the UEA reportedly told the EDP.
And it seems that the UEA’s data data protection training, introduced after the leak in June, has also been criticised.
“The training consists of an eight-question, multiple-choice quiz – it’s basic, haphazard, and easily cheated on,” the EDP reported the unnamed tutor as saying. “It’s ridiculous and they haven’t learned the lessons of the previous breach.
“The ICO decision was rubbish, and it’s happened again, not even a few months later.”
UEA could now face the wrath of the Information Commissioner’s Office (ICO), which has already shown that it is not afraid to dish out financial penalties to organisations that breach data protection regulations.
Last month the ICO had concluded that the breach in June didn’t meet the requirements for regulatory action to be taken.
“We deeply regret that an email was mistakenly sent to approximately 300 Social Sciences postgraduate research students containing personal details relating to a UEA employee,” the UEA told Silicon UK. “This was unintentional and clearly should not have happened, and the university apologises unreservedly.
“Steps were taken to immediately recall the message, and the University contacted the member of staff to apologise and offer support. An urgent investigation into how this happened is underway and we will make any changes necessary to the new data protection systems and training currently being rolled out to prevent incidents like this happening in the future.”
And the UEA said it was already deleting unnecessary group emailing lists.
“The University’s recently agreed data protection action plan is underway and we are working through a schedule of required changes,” it said. “This includes the deletion of unnecessary group emailing lists and restricting access to group lists. The list involved in the recent data breach was scheduled to be decommissioned this week and deletion took place on Tuesday.”
“We will continue to keep the new policies and training under review. This latest incident suggests we are making the correct changes but regretfully it is impossible to complete all of them simultaneously due to the complexity of the tasks.”
As mentioned previously, the UEA suffered a data breach in June which saw the university issue an apology after extremely sensitive student data was leaked to hundreds of undergraduates.
A member of staff had “mistakenly” emailed a spreadsheet containing confidential information related to reasons students had given as extenuating circumstances, which included details of family bereavements and mental health problems.
The email was sent to 320 American Studies students and revealed the names and university IDs of around 40 students from the School of Art, Media and American Studies (AMA).
Quiz: Are you a privacy expert?