Thousands of staff details of those working in NHS Wales have been stolen from a private contractor’s computer server.
The data breach exposed data of staff who worked with X-rays, including information such as names, dates of birth, National Insurance numbers and radiation doses.
According to the BBC, those affected include 530 NHS workers at the Velindre NHS trust, 654 employees from the Betsi Cadwaladr University Health Board and various people working as NHS staff in England and Scotland and as private dentists and vets.
The data stolen was being held by monitoring company Landauer.
The breach occurred last October but the Velindre trust was informed in January. More so staff were only told about the breach formally at the beginning of March.
Speaking about the delay in response, Rashmi Knowles, CISSP Chief Security Architect EMEA at security firm RSA said: “The Welsh NHS must consider itself very lucky that the EU GDPR is not yet in play. Otherwise it would be facing a colossal fine, and rightly so. The breach itself is not even the biggest issue. The most disappointing part is the way that the NHS responded to it or, more accurately, failed to respond. The EU GDPR stresses privacy by design, meaning that following bad processes is what will cause the biggest fines – as is the case here. Under the new regulations, all organisations will need to disclose within 72 hours of the breach being discovered. The five months it has taken in this case is quite frankly shocking.
“The fact that this attack was via a third party is also a timely wake up call. Just because the Welsh NHS can make the tired claim that this attack was not its fault, it is still very much its problem and liability. Throughout the NHS and in the entire public sector, third party risk should be a top priority. This means determining which parts of operations rely on third party relationships, which relationships pose the greatest risk, and giving those risks higher visibility, action and oversight. Thankfully no patient information has been affected, but highly sensitive employee data certainly falls into the category of high value and high risk. The NHS should have known that and acted accordingly.”
Marc Agnew, vice president of technology company ViaSat Europe spoke about the need for better data security within the NHS: “The NHS needs to ensure that all data is encrypted, and both patient and employee confidentiality is preserved as we move into the age of digital health services.”
Velindre NHS trust has said it is carrying out an investigation into the breach and will be working with Landauer to prevent any future breaches.