The University of East Anglia issued a public apology after it erroneously shared confidential health details of a staff member with hundreds of students via an e-mail.
The University of East Anglia says it will change its data protection systems and training to ensure such breaches do not occur again.
Back in June, the University of East Anglia found itself in the news after an unforgivable error by one of its staff members resulted in the leakage of sensitive details of 42 students with extenuating circumstances to nearly 300 other students.
A spreadsheet shared by the university with 298 students included details of health problems, personal issues and family bereavements of as many as 42 students. These students had sought extensions and other academic concessions based on these circumstances.
Following the error, the University apologised unreservedly to the affected students and launched an urgent inquiry to figure out the root cause of the data leak. However, it seems that the University is yet to learn its lessons.
On Sunday, the university shared confidential health details of one of its staff members with nearly 300 postgraduate research students via an e-mail, a serious error that attracted the wrath of the University’s students’ union as well as cyber experts.
‘This was unintentional and clearly should not have happened, and the university apologises unreservedly. Steps were taken to immediately recall the message, and the university contacted the member of staff to apologise and offer support,’ said a university spokeswoman.
‘An urgent investigation into how this happened is under way and we will make any changes necessary to the new data protection systems and training currently being rolled out to prevent incidents like this happening in the future’, she added. The statement is identical to the one issued by the university in June.
‘Given the earlier revelations about data breaches of this nature last year, this latest incident is breathtaking and we’d be forgiven for not trusting what are starting to look like hollow reassurances. Students are rightly questioning whether their personal data is safe in UEA’s hands and we’ll be demanding action at the highest levels in coming days,’ said Jack Robinson, campaigns officer at the students’ union to the BBC.
Matt Lock, Director of Sales Engineers at Varonis, says that since universities hold sensitive personal identifiable information (PII) and protected health information (PHI) on tens of thousands of students, they have a duty to ensure the security of such data and also to educate their employees and contractors on good cyber hygiene practices.
‘The way that personal data is collected and stored is a huge privacy concern, particularly in light of the upcoming GDPR: universities (and individuals) need to keep an eye out on privacy policies and data gathering in order to consistently meet business policy and security requirements.
‘Exposed personal data can be a huge vulnerability – not only an abuse of personal data privacy, but can be leveraged to breach more secure systems and put critical data at risk,’ he adds.
The Information Commissioner’s Office has confirmed that it will be looking into the details of the leak that took place at the University of East Anglia in the coming days.