Thousands of Welsh NHS employees have had their personal data stolen. The data is processed by a private contractor, Landauer, who’s system has been hacked. The breach is said to have transpired in October last year however, those staff affected have only been informed this month- March 2017.
Darren Millar, politician for the Clywd West constituency remarked, “This really is an astonishing data security breach. You’ve got thousands of NHS workers who’ve had their personal details compromised. The delays in informing those who’ve been affected are completely unacceptable.”
Under the new EU General Data Protection Regulation (GDPR), already enacted but enforced in May 2018, such a delay will not be allowed. Authorities and those affected must be informed within 72 hours of the data controller becoming aware of the data breach occurring.
Landauer has said that the intruder was able to install malware onto their UK servers allowing an unknown third party to make a copy of the data.
The Welsh Government and Information Commissioner have been informed and the Welsh NHS has described the data breach as ‘deeply disappointing’.
Personal data compromised includes: names, dates of birth, national insurance numbers as well as radiation doses from Welsh NHS medical staff (staff all use radiation dose meter badges to measure their exposure while working with X-rays). Moreover, the data combinations affected vary for each employee.
Managers said that radiographers, cleaners and other staff at most health boards in Wales are affected, involving about 530 staff working for the Velindre NHS Trust, which co-ordinates the radiation dose meter badges in Wales.
Approximately 654 staff at Betsi Cadwaladr University Health Board had some personal data compromised, as well as a number of people working for private dentists and vets as well as NHS staff in England and Scotland.
It has been noted that no patient information has been compromised.
This type of breach is becoming commonplace and this incident highlights the heightened need for data security and the importance of safeguarding personal data. Everyone is a potential target and organisations must make data security a priority. They have a responsibly to their employees, clients and customers to ensure that the data that they process and hold is always secure.