PERSONAL details about women who have had a stillbirth appear to have mistakenly been published online by the trust which runs Winchester hospital.

The information, which is listed as ‘restricted’, includes sensitive and private details such as previous miscarriages and pregnancy terminations, and was published as part of the papers for Hampshire Hospitals NHS Foundation Trust’s board of directors meetings.

These could be freely accessed online by anyone, as well as downloaded or printed, and were published online for several weeks.

The information was included in a review of stillbirths at the trust, but has since been taken down after the Chronicle's sister paper asked the trust if the publication was a breach of confidentiality.

Three reviews were published in two different documents in June and July, providing details including the date and time of the stillbirth, the women’s age and BMI, the gender and weight of their baby, and detailed medical history including previous miscarriages and pregnancy terminations.

At the bottom of the report, it states: “Restricted. Not to be copied or shared without the permission of the chair for a period of 10 years from the date of the meeting or the production date – 19 July 2023” raising questions as to whether the information should ever have been published in a public place online, as it could lead to the women being identified.

The NHS’s confidentiality policy offers principles for all those who work within NHS England who have access to ‘person-identifiable information’ or confidential information.

It states that “all employees working in the NHS are bound by legal duty of confidence to protect personal information they may come into contact with during the course of their work”.

It adds: “Person-identifiable information is anything that contains the means to identify a person”.

Examples given include date of birth, which was included in the stillbirth report of the babies born.

The Information Commissioner’s Office, which investigates reported breaches, said that organisations must notify them within 72 hours of becoming aware of a personal data breach “unless it does not pose a risk to people’s right and freedoms”.

It added: “If an organisation decides that a breach doesn’t need to be reported they should keep their own record of it, and be able to explain why it wasn’t reported if necessary.

“If anyone has concerns about how their data has been handled, they can report these concerns to the organisation, if they are not happy with the response they can bring it to the ICO.”

Malcolm Ace, chief financial officer for HHFT, said: “The privacy of our patients is of the utmost importance to the trust and we are taking this matter very seriously. As Senior Information Risk Officer, I have referred this to the (ICO) as a potential breach of the Data Protection Act 2018 and we will act quickly on any and all recommendations given.”