The homepage of the official website for the Royal Cornwall Hospitals NHS Trust

Hospital staff sickness records exposed in Royal Cornwall data breach

Royal Cornwall Hospitals NHS Trust has confirmed a data breach involving the personal information of thousands of current and former employees, after an internal spreadsheet was accidentally published online.

The trust has written to around 8,100 staff members whose details were affected. The incident occurred when an editable spreadsheet was inadvertently disclosed as part of a Freedom of Information (FOI) request and uploaded to the trust’s disclosure log.  

What information was exposed?

According to the trust, the spreadsheet contained: 

  • Staff names
  • Job titles
  • Descriptions of sickness absences
  • Dates of those absences 

According to Cornwall Live, a letter sent to affected staff confirmed that the breach went beyond sickness absence data. In addition to absence records, the disclosure included full names, job roles, departments, and staff grades and pay bands. While no individual salary figures were shared, pay band information is publicly available, meaning approximate salary ranges could be inferred. 

The data relates to staff who worked for the trust between April 2020 and May 2023. The trust has said that no financial, bank details national insurance number, address of contact information, or patient data was involved. 

How did the breach happen?

The trust said the spreadsheet was shared in response to an FOI request and was published in a format that allowed it to be edited and viewed in full. Once the issue was identified, the document was removed from the disclosure log, and the log itself was temporarily suspended while a review took place.

Royal Cornwall Hospitals NHS Trust has apologised to affected staff and said it took immediate steps to contain the incident. 

The trust has confirmed that: 

  • The breach has been reported to the Information Commissioner’s Office
  • New processes have been introduced to ensure spreadsheets are disabled before FOI disclosures
  • Additional checks are being put in place to reduce the risk of similar incidents 

An ICO spokesperson said the regulator had assessed the information provided by the trust and, after offering data protection advice, concluded that no further regulatory action was required at this stage. 

FOI-related breaches are a recurring issue across public bodies. Even where disclosure is unintentional and patient data is not involved, publishing identifiable staff information can still have real personal and professional consequences.

We are continuing to monitor developments in this case and will let you know if a group action is launched by one of our trusted legal partners. 

This information is for general guidance only and does not constitute legal or financial advice.

Found this helpful? Share it

Facebook
Twitter
WhatsApp
LinkedIn
Email

Or

You may also like:

  • Environment, News, Vehicle

Can BMW drivers claim compensation for the diesel emissions scandal?

BMW faces legal action over emissions-cheating software. Learn what the scandal involves, who is affected, and what it means for UK diesel car owners.
  • Employment, News

Asda equal pay claim: Can store workers fight for fair wages?

Asda store workers may be underpaid. Check if you qualify for an equal pay claim and take action to seek the compensation you deserve.
  • Data Breach, Financial, News

Capita data breach: Legal response & ongoing investigations

Capita’s data breach exposed pension holders’ personal data. Stay updated on the latest legal action, investigations, and regulatory responses.

You might also like

See more resources

Several bottles of Johnson's baby powder on a store shelf, symbolising the Johnson and Johnson talc lawsuit over alleged asbestos contamination and cancer risks.
  • Health & Medical, News

Johnson & Johnson talc lawsuit in the UK: What you need to know

A UK lawsuit claims Johnson & Johnson’s talc products cause cancer. Learn about the case,...
Low-angle view of people walking in a city, symbolising unity and collective action, related to key facts about group litigation for seeking justice.
  • News

10 must-know facts about group litigation for first-time claimants

Discover 10 essential facts about group litigation for first-time claimants. Learn how joining a group...
  • News, Travel

How to claim compensation for flight delays or cancellations in the UK

Delayed 3+ hours or had a cancelled flight? You could claim up to £520 under...

Did you know we have a newsletter?

Sign up for our newsletter to stay up to date.

We connect consumers with their legal dream teams to ensure they get the compensation and support they deserve.

claims
About
Legal
Connect

Join the Claim is not a law firm. We connect individuals with top law firms for group action claims, and our service is free to use. While we may receive a fee from the law firms we introduce you to, this will not affect your costs or compensation. We are not responsible for the advice or services provided by these firms. Please note, nothing on this website is legal advice, and while we check claim eligibility, we cannot guarantee a law firm will accept a case.

Join the Claim is a registered trading name of Big on Media ltd. Big on Media is registered in the United Kingdom under licence number 09878028 with its registered office located at Big on Media, 32 Eyre Street, Sheffield, England, S1 4QZ

© Join the Claim All Rights Reserved |

2026
Go to claims