Thousands of NHS staff in Wales have had their private information stolen after hackers accessed their details through an IT contractor’s server.
The private information included:
- Full names;
- Dates of Birth;
- National Insurance Numbers;
- Radiation doses.
NHS Shocked
The Welsh NHS were shocked to find such a huge data breach that has affected thousands of their employees and affiliated health service staff. It’s suspected that some 4,766 staff had their private information stolen – equating to 3,423 current and former NHS staff in Wales; and 1,343 staff who work in private hospitals, dentists, and veterinary staff.
It’s thought that the data breach could also affect NHS services in England and Scotland.
Government and ICO aware
The Welsh Government and the Information Commissioners Office (ICO) are both aware of the breach and will be conducting thorough investigations. If the ICO finds that Landauer has been negligent in their security measures, the data protection enforcement authority can issue a fine of up to £500,000.
Staff who work in radiology – like conducting X-rays for patients – have a radiation dose meter badge that keeps track of how much radiation they’re exposed to. This information was reportedly stored and processed by the IT Company, Landauer.
One radiographer told the BBC:
“My life could be compromised at any time in the future, we just don’t know what the hackers will do with this. If they are clever, they won’t use it straight away. So I’m worried something can happen in 10, 5 years’ time. Even longer.”
Unknown future…
The nature of stolen data is that, in most cases, it can never be known for sure to what extent the data has been compromised; especially if it has been uploaded onto the internet. With the vast abyss that is the internet, the smallest bit of information can be spread far and wide. Anyone who comes into contact with information can become a data controller, and who knows what they may do with such information…
Data threats are everywhere
Security expert David Jones said that data breach threats are everywhere.
Hackers are getting more and more sophisticated with their methods, and catching them is extremely difficult. Therefore, companies and other data controllers must do all they can to protect the information they hold. This is not just a moral obligation – the Data Protection Act provides a legal obligation through a number of legal principles.
The NHS is not a stranger to these rules as they themselves have been fined previously by the ICO for their inadequate security measures.
In a bid to protect the affected staff from further damage, the current and former workers have been offered free identity theft support for a year. This offer doesn’t seem so generous when we consider the radiographer’s words above; that the information may not be used straight away. Unless the perpetrator is caught and all evidence of the compromised data is wiped, the affected victims could be worried for the rest of their lives that someone out there holds their private information over their heads indefinitely.
Delay in informing staff affected
The ICO are aware that there was a delay in informing affected staff of the breach. Quite often, breached companies or authorities will not inform affected staff or customers in efforts to try and avoid panic, or because they think the problem will be quickly resolved. This way of thinking is simply out-dated and must be changed as soon as possible. With every delay in notifying affected data leak victims, more opportunity can arise for the hackers to abuse the information they have stolen.