A mix-up at a school in Worcestershire, England, caused parents to receive the COVID-19 test results of other people’s children.
The data breach, reported today by the Evesham Journal, occurred at co-educational secondary school and sixth-form college The De Montfort School (TDMS) in Evesham, which is part of the Four Stones Multi Academy Trust.
After the holiday season, students returning to learning underwent asymptomatic testing for the coronavirus at TDMS on Tuesday. In a security incident ascribed to “human error,” some students’ test results were sent to the wrong guardians.
Ninth-grade student Amelia Felton was among the children affected by the data breach. Felton’s mother, Becky, learned of the security breach not through the school but via the parent of another student.
“I’m not very happy,” Becky Felton told the Evesham Journal. “It was another parent that told me she had received my daughter’s result. This is a serious breach of personal data.”
The headteacher at The De Montfort School, Ruth Allen, confirmed that the data breach had taken place while the test results were being uploaded to the school’s network.
Allen said the incident had involved the personal data of only a small number of students. The school’s coronavirus testing process had been successful due to the cooperation of students and teaching staff.
“In line with government guidance, on Tuesday, January 4, the school facilitated asymptomatic testing for our students following the Christmas break,” said Allen.
“Testing for students was completed quickly and without fuss thanks to our excellent team of testers and the good will of our students, who now have testing down to a fine art. This meant that all students were back in face-to-face lessons on Wednesday.”
She added: “Unfortunately, whilst uploading results, a data breach occurred that affected a small number of students.”
Allen said that the data breach has been investigated according to the regulations laid out in the Four Stones Multi Academy Trust data protection policy and that the security incident was reported to the Information Commissioner’s Office.
The TDMS head added that the data breach was “found to be the result of a human error.”