One in eight people in England have had their personal medical data stolen by hackers, with chemists' shops a key point of weakness, according to a new study from Accenture.
The consulting giant polled 1000 consumers in England as part of the seven-country 2017 Healthcare Cybersecurity and Digital Trust Research study.
It found 13% had suffered medical data loss, with chemists' (35%) the most likely to be breached followed by hospitals (29%), “urgent care clinics” (21%) and doctor’s offices (19%).
Fraud was the overwhelming reason for the data theft, cited by 82% of breached respondents.
The main follow-on crimes included fraudulently filling prescriptions (42%), fraudulently receiving medical care (35%) and fraudulently billing for care (25%).
Medical information can be particularly valuable to fraudsters because – unlike card data – it’s difficult for the victim to replace, and so has a long shelf-life.
A quarter of respondents in England said they had their health insurance ID number stolen, while 18% had biometric data compromised.
However, reassuringly, respondents in England were the most proactive among all the countries studied in taking action following a breach, with 94% doing so.
The study's findings should come as no surprise, given the UK healthcare sector is regularly the biggest cause of data breach incidents according to privacy watchdog the ICO.
There were 577 incidents reported to the ICO in the final quarter of 2016, for example.
Tony Pepper, co-founder and CEO of encryption firm Egress, said this trend needs to change urgently.
“While the healthcare system in the UK is one of the best in the world, unfortunately the same can’t be said of its data security,” he argued.
“There needs to be a concerted effort now to drive forward a move to digital to prevent the issue of paper records going missing – which happens all too frequently – while at the same time ensuring robust digital defenses are in place. Not only will this help reduce the number of security incidents the NHS sees, but it will also make sure that data can be tracked and, if something does happen, it can be dealt with quickly.”
Ironically, Accenture’s own performance in the UK’s healthcare sector has been less than stellar in recent years.
A 'reply all' email fiasco which caused misery for healthcare professionals last November could apparently have been prevented if functionality requested by the NHS had been switched on.
Accenture was given the £60m contract to upgrade the system to NHSmail2 in 2015, but reportedly came in for criticism in an NHS Digital report earlier this year for failing to implement “clear and strict” design controls limiting the volume of emails one user could send at one time.