Thousands of NHS Wales staff have had their details exposed after a data breach at a private contractor.
According to the BBC, hackers gained access to IT systems belonging to a company called Landauer, who handles data on behalf of NHS Wales. The stolen information included names, dates of birth and National Insurance numbers. Radiation doses were also accessed during the breach, as the affected staff worked with x-ray machines.
Radiographers, cleaners and other staff at a number of NHS Wales boards were affected by the breach, the BBC said. Included in this number are around 530 people working for the Velindre NHS Trust, the organization in charge of coordinating the radiation dosimeter badges in Wales.
A further 650 staff working for Betsi Cadwaladr University Health Board had their data accessed, as did some people working for private dentists and vets and NHS staff in England and Scotland.
Infosecurity Magazine has reached out to Landauer but they had not responded at the time of publication. The ICO said in a statement: “We are aware of this incident and are making enquiries. The organizations impacted should be informing staff if they have been affected.”
A spokesperson for Betsi Cadwaladr health board told the BBC: “No patient information has been affected, 654 of our staff, current and past, have been affected by this security breach. We have contacted all the staff affected to reassure them that Landauer has acted swiftly to secure its servers and that, since the attack, it has undertaken significant measures in connection with its UK IT network to ensure that no further information can be compromised.”
The statement added that all staff had been given free access to credit monitoring service Experian.
It appears the breach happened back in October 2016, but the Trusts were only made aware in January 2017, and staff were told in March.
Clwyd West AM Darren Millar criticized the delay in revealing the breach. “This really is an astonishing data security breach," he told the BBC. “You've got thousands of NHS workers who've had their personal details compromised. The delays in informing those who've been affected are completely unacceptable.”
Andrea Hague, cancer services director at the Velindre health trust, said they were in discussions with Landauer about the notification delay.
Rashmi Knowles, CISSP chief security architect EMEA for RSA, criticized the notification delay.
“The Welsh NHS must consider itself very lucky that the EU GDPR is not yet in play. Otherwise it would be facing a colossal fine, and rightly so. The breach itself is not even the biggest issue. The most disappointing part is the way that the NHS responded to it or, more accurately, failed to respond. The EU GDPR stresses privacy by design, meaning that following bad processes is what will cause the biggest fines – as is the case here. Under the new regulations, all organizations will need to disclose within 72 hours of the breach being discovered,” she said.
Marc Agnew, vice-president, ViaSat Europe, said that third-party security is an increasing concern for public sector organizations. “Increasing financial pressure means that sub-contracting is likely to become common in more parts of the public sector. As vital tasks become shared across more and more organizations, it’s crucial that the NHS control not only its own data protection policies, but also those of any contractors,” he said.
“Indeed, data security should form a key part of any contract that is signed and should be monitored rigorously, with failure to comply being met with hefty penalties. Thankfully, no patient data was affected. However, the NHS needs to ensure that all data is encrypted, and both patient and employee confidentiality is preserved as we move into the age of digital health services,” Agnew added.
This is the second data breach in recent weeks to impact NHS services in Wales.