Shropshire hospital trust pays out nearly £30,000 over data breaches

Shrewsbury & Telford Hospital NHS Trust (SaTH), which runs both Royal Shrewsbury Hospital and Princess Royal Hospital in Telford, paid out the fifth-highest compensation of UK trusts according to a Freedom of Information request.

In total since 2021 SaTH has settled nine claims, paying out a total of £29,750.

It comes as ‘tens of thousands’ of NHS patients have now had their names, dates of birth, and private information published online by hackers who targeted a blood testing firm at London hospitals.

The cyber attack effectively rendered IT systems useless, with the gang of cyber criminals demanding a £40 million ransom.

Across the NHS a total of 20 trusts have paid out more than £1.5m for breaches in the past three years.

The figures have been revealed in an investigation by Legal Expert, which said there had been a stark increase both in terms of human error and cyber attacks throughout the NHS.

Data breach specialist Eleanor Coleman said: "This rise in the health sector is worrying and we hope that organisations are ensuring that they have sufficient security in place to protect people’s personal information."

Asked about the payments, SaTH said data breaches were "rare," but that it had paid out "under £30,000", adding that the payments were "for about half of all data breach claims made against the trust in 2021".

Anna Milanec, director of governance at SaTH, said: “We take our responsibility to maintain the confidentiality of patients, staff and others very seriously, and work has been undertaken to improve its controls and processes over the last two years.

"In the rare circumstances where a data breach is identified, we undertake a full investigation, contact those who may be affected, and do all that we can to learn how to prevent this happening in future.”

The NHS is expected to collect, store, use, share and dispose of personal information or data about individuals, in line with the General Data Protection Regulation and the Data Protection Act.

Under data protection law, organisations must have appropriate technical and organisational systems in place to ensure personal data is kept safe and not inappropriately disclosed to others.

According to the Information Commissioner’s Office, data breaches within the health sector have risen by 21 per cent between 2022 and 2023 - the most common of which are recorded as ‘unauthorised access’. This is when an unauthorised individual has gained access to personal data and can include prohibited disclosures.