EXCLUSIVE: PERSONAL details about women who have had a stillbirth appear to have mistakenly been published online by the trust which runs Basingstoke hospital.

The information, which is listed as ‘restricted’, includes sensitive and private details such as previous miscarriages and pregnancy terminations, and was published as part of the papers for Hampshire Hospitals NHS Foundation Trust’s board of directors meetings.

These could be freely accessed online by anyone, as well as downloaded or printed, and were published online for several weeks.

The information was included within a review of stillbirths at the trust, but has since been taken down after the Gazette asked Basingstoke hospital if the publication was a breach of confidentiality.

Three reviews were published in two different documents in June and July, providing details including the date and time of the stillbirth, the women’s age and BMI, the gender and weight of their baby, and detailed medical history including previous miscarriages and pregnancy terminations, as well as an in-depth report of their pregnancy and birth.

At the bottom of the report, it states: “Restricted. Not to be copied or shared without the permission of the chair for a period of 10 years from the date of the meeting or the production date – 19 July 2023” raising questions as to whether the information should ever have been published in a public place online, as it could lead to the women being identified.

The NHS’s confidentiality policy offers principles for all those who work within NHS England who have access to ‘person-identifiable information’ or confidential information.

It states that “all employees working in the NHS are bound by legal duty of confidence to protect personal information they may come into contact with during the course of their work”.

It adds: “Person-identifiable information is anything that contains the means to identify a person”.

Examples given include date of birth, which was included in the stillbirth report of the babies born.

The Information Commissioner’s Office, which investigates reported breaches, told the Gazette that organisations must notify them within 72 hours of becoming aware of a personal data breach “unless it does not pose a risk to people’s right and freedoms”.

It added: “If an organisation decides that a breach doesn’t need to be reported they should keep their own record of it, and be able to explain why it wasn’t reported if necessary.

“If anyone has concerns about how their data has been handled, they can report these concerns to the organisation, if they are not happy with the response they can bring it to the ICO.”

The Gazette has asked Hampshire Hospitals NHS Foundation Trust (HHFT) if the women affected will be informed. 

UPDATE: HHFT has now provided a comment, saying it has reported the matter to the Information Commissioner's Office. Read the full story here

Read the latest update here www.basingstokegazette.co.uk/news/18628107.women-affected-hospital-data-breach-offered-support/