Skip links

NHS Digital exposes hundreds of email addresses after BCC blunder copies in entire invite list to ‘Let’s talk cyber’ event

NHS Digital has scored a classic Mail All own-goal by dispatching not one, not two, not three, but four emails concerning an infosec breakfast briefing, each time copying the entirety of the invite list in on the messages.

The first email sent yesterday morning thanked participants for “registering for NHS Digital’s Full Digital Breakfast: Let’s talk cyber, scheduled for Thursday 21 October 2021, 8:00-9:00am.”

Apparently Neil Bennett, CISO at NHS Digital, and Phil Huggins, National CISO at NHS X, “along with guest speakers, will have a conversation about the ongoing protection and how an increasingly digitised world means we must be super vigilant and cyber secure, where cyber hygiene is essential in protecting patients.”

According to sources caught up in the email chain, NHS Digital were sending the emails in an attempt to change the invite details. The fourth was a cancellation “again with every single person copied in,” one healthcare techie told us.

“They have subsequently put an email out to a BCC list that just reiterates the meeting is on but does not acknowledge the data breach.

“Oh and it’s still doing the rounds as some people have done the usual ‘Reply All’, which is a frustration to anyone who didn’t want their emails sharing or their inboxes clogging.”

The event, which is scheduled for tomorrow morning, is open to anyone who wants to register. It was estimated by people on the email chain that between 100 to 200 email addresses were shared across the attendee list. It included a mix of private individuals and private company addresses.

As one of those registered told us, the irony wasn’t lost on them given the breakfast briefing subject matter. “So, not so conscious of security then.”

As email blunders go, this is ranked pretty low down in terms of seriousness – just think of this story, or this one – but it is more than a little embarrassing.

An NHS Digital spokesperson said of the issue: “We take our responsibility to safeguard personal data extremely seriously. This was an invitation to a closed event sent to individuals who had confirmed they wished to attend.

“As soon as we became aware of concerns we took immediate remedial action including reporting the incident for further investigation and deleting the original invitation.

“We seek to continually improve our processes and will ensure we provide delegates with an alternative means of attending our events in future.”

The Reg has also asked the Information Commissioner’s Office if anyone has reported the screwup, and it said it hadn’t yet received a report. A spokesperson said: “Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people’s rights and freedoms.” ®