Staff member has health information sent to 300 students in second UEA confidential data breach
PUBLISHED: 13:29 08 November 2017 | UPDATED: 17:06 10 November 2017
Archant Norfolk 2016
A second data leak has taken place at the University of East Anglia (UEA) when information about a employee’s health was mistakenly sent to hundreds of students.
An email was sent during the afternoon of Sunday, November 5, to around 300 postgraduate research students in the social science faculty, one of the UEA’s four teaching departments, containing personal information about a member of staff.
The breach occurred due to the accidental use of an email distribution list, the same as the data leak in June, which affected hundreds of American Studies students.
It comes less than a month after the Information Commissioner’s Office (ICO) found the breach in June didn’t meet the requirements for regulatory action to be taken.
The UEA sent a subsequent email to recipients of the second data leak informing them that the university’s IT department had “remotely extracted the message from all recipients’ accounts.”
An associate tutor at the UEA said: “I suspect UEA are trying to cover this one up rapidly.
“It’s happened again, and the manner of the breach was the same - they haven’t locked down the distribution lists.”
They also criticised UEA’s data protection training, which was introduced after the leak in June.
They said: “The training consists of an eight-question, multiple-choice quiz - it’s basic, haphazard, and easily cheated on.
“It’s ridiculous and they haven’t learned the lessons of the previous breach.
“The ICO decision was rubbish, and it’s happened again, not even a few months later.”
A UEA spokesperson said: “This was unintentional and clearly should not have happened, and the university apologise unreservedly.
“An urgent investigation into how this happened is underway. The university contacted the member of staff to apologise and will be providing support.
“Steps were taken to recall the message as soon as possible using an automated process which can be run by a limited number of UEA employees allowing the removal of the specific email, without accessing individuals’ email inboxes.
“The University will continue with the roll out of our newly created action plan to prevent incidents like this in the future.”
A ICO spokesperson said that they are unable to comment without a specific referral.