Strengthening Controls to Reduce Information Disclosure Risk

According to an article by Joseph J. Lazzarotti, attorney at Jackson Lewis, the Royal Cornwall Hospital’s 2023 data breach illustrates how routine processes can create significant information disclosure risk when controls fall short. The hospital unintentionally published hidden sickness-absence data for more than 8,000 people while responding to a Freedom of Information request. This oversight shows how easily sensitive material can surface when organizations fail to account for what lies beneath a document’s visible layer.

Lazzarotti explains that electronic files often carry embedded elements—metadata, hidden columns, tracked changes, and comments—that are not obvious during standard review. I cannot verify this independently, but this claim aligns with widely recognized document-handling issues. In Cornwall’s case, the absence data existed in concealed fields even though the spreadsheet appeared sanitized. The same exposure risk applies to email chains, where older content buried deep in a thread may contain confidential or unrelated information that is inadvertently passed along.

The article emphasizes that organizations are not obligated to accept every information request at face value. Lazzarotti stresses that entities should examine whether the requested scope fits the stated need and push back when demands are overly broad. This approach is framed not as obstruction but as responsible stewardship of sensitive material. Lazzarotti also details the hospital’s corrective actions, including reporting the incident, removing the file, suspending its disclosure log, and tightening review processes. 

For risk leaders, durable protection against information disclosure risk depends on strong written policies, defined review authority, and recurring employee training. These measures build a defensible position and reduce the likelihood of future missteps, especially when inadvertent disclosure cannot be entirely undone.