University of East Anglia leaks confidential health details to hundreds of students in mass email
This isn't the first time the university suffered a data breach due to a mistaken mass email.
The University of East Anglia in Norwich accidentally leaked an employee's confidential and sensitive health information in a mass email sent to hundreds of postgraduate research students.
The email was sent on Sunday (5 November) afternoon to about 300 students in the social science faculty which included the personal health information of a member of staff.
The UEA sent a subsequent email to recipients of the mistaken email apologising for the error and notifying them that the university's IT department had "remotely extracted the message from all recipients' accounts" due to the "sensitive nature of its contents."
"We are aware that many of you will have already read the message, and ask that you respect the privacy of the individual concerned, treat the message as confidential, and do not share or take any action in relation to the information disclosed," the second email read. "If you have auto-forwarding set up on your email account, we ask that you delete all copies of the message concerned."
The university is currently investigating the incident as a data breach and said it "will look into how and why it occurred and what can be done to ensure the mistake is not repeated."
The data leak comes just a few months after a university staff member accidentally leaked confidential and highly sensitive information of about 42 students -- including family bereavements, health problems and personal issues -- in a mass email to nearly 300 other undergraduates.
The offending email, which was sent in June, included a spreadsheet that listed the names of the students in the School of Art Media and American Studies (AMA) who applied for extenuating circumstances as well as their university ID numbers.
However, the Information Commissioner's Office said last month that no regulatory action was needed.
"After considering the facts, in this case, we found the breach didn't meet all the requirements for the ICO to take regulatory action," the ICO said last month. "However, we have issued the University of East Anglia with advice to assist it in improving its future compliance with the law."
Following the second data breach, a university spokesperson said the latest mistaken mass email was "unintentional and clearly should not have happened."
"An urgent investigation into how this happened is underway," the spokesperson said in a statement, Norwich Evening News reported. "The university contacted the member of staff to apologise and will be providing support.
"Steps were taken to recall the message as soon as possible using an automated process which can be run by a limited number of UEA employees allowing the removal of the specific email, without accessing individuals' email inboxes. The University will continue with the roll out of our newly created action plan to prevent incidents like this in the future."