Staff member has health information sent to 300 students in second UEA confidential data breach

UEA - University of East Anglia. Picture: ANTONY KELLY Archant Norfolk 2016

A second data leak has taken place at the University of East Anglia (UEA) when information about a employee’s health was mistakenly sent to hundreds of students.

Share Email this article to a friend To send a link to this page you must be logged in.

UEA sent this email to all recipients of the data breach, informing them that it had been deleted from their mailbox. Image: Submitted UEA sent this email to all recipients of the data breach, informing them that it had been deleted from their mailbox. Image: Submitted

An email was sent during the afternoon of Sunday, November 5, to around 300 postgraduate research students in the social science faculty, one of the UEA’s four teaching departments, containing personal information about a member of staff.

The breach occurred due to the accidental use of an email distribution list, the same as the data leak in June, which affected hundreds of American Studies students.

It comes less than a month after the Information Commissioner’s Office (ICO) found the breach in June didn’t meet the requirements for regulatory action to be taken.

The UEA sent a subsequent email to recipients of the second data leak informing them that the university’s IT department had “remotely extracted the message from all recipients’ accounts.”

The UEA is providing staff with data protection training following the data breach in June, consisting of an eight-question, multiple-choice quiz. Photo: Submitted The UEA is providing staff with data protection training following the data breach in June, consisting of an eight-question, multiple-choice quiz. Photo: Submitted

An associate tutor at the UEA said: “I suspect UEA are trying to cover this one up rapidly.

“It’s happened again, and the manner of the breach was the same - they haven’t locked down the distribution lists.”

They also criticised UEA’s data protection training, which was introduced after the leak in June.

They said: “The training consists of an eight-question, multiple-choice quiz - it’s basic, haphazard, and easily cheated on.

“It’s ridiculous and they haven’t learned the lessons of the previous breach.

“The ICO decision was rubbish, and it’s happened again, not even a few months later.”

Read more: ‘Mind-boggling’ - UEA students’ outrage over regulator’s decision on data leak

A UEA spokesperson said: “This was unintentional and clearly should not have happened, and the university apologise unreservedly.

“An urgent investigation into how this happened is underway. The university contacted the member of staff to apologise and will be providing support.

“Steps were taken to recall the message as soon as possible using an automated process which can be run by a limited number of UEA employees allowing the removal of the specific email, without accessing individuals’ email inboxes.

“The University will continue with the roll out of our newly created action plan to prevent incidents like this in the future.”

A ICO spokesperson said that they are unable to comment without a specific referral.