Employee details of Wales NHS staff – including dates of birth, radiation doses and National Insurance numbers – have been stolen after a cyber hack on a private contractor’s computer server, where the information was stored.
All the staff who had their details stolen were required to wear a radiation dose meter to measure radiation while working with X-rays.
Hackers accessed the organisation who manage this data – Landauer. Their system was compromised and the data was stolen.
All the staff who had their details stolen were required to wear a radiation dose meter to measure radiation while working.
>See also: 30% of NHS Trusts were victims of ransomware attacks
The Welsh NHS described the data breach as “deeply disappointing” and it has started an investigation.
According to managers, radiographers, cleaners and other staff at most health boards in Wales are affected by the hack.
This includes around 530 staff who work for the Velindre NHS Trust, which coordinates the radiation dose meter badges in Wales.
According to reports, 654 staff at the Betsi Cadwaladr University Health Board had personal details exposed, as well as an unconfirmed number of people working for private dentists and vets.
Clwyd West AM Darren Millar said the breach, in fact, happened in October but staff were only formally told at the start of March.
“This really is an astonishing data security breach,” he said
“You’ve got thousands of NHS workers who’ve had their personal details compromised. The delays in informing those who’ve been affected are completely unacceptable.”
>See also: NHS Trust trusting email ahead of post
The Velindre health trust was informed on 17 January, with Andrea Hague, cancer services director confirming that an unauthorised third party illegally gained access to a data server used by Laundauer.
“The reasons behind this delay in notifying us of the breach is the subject of ongoing discussions with the host company,” Hague said.
A spokesman for the Betsi Cadwaladr health board said: “No patient information has been affected, 654 of our staff, current and past, have been affected by this security breach.”
“We have contacted all the staff affected to reassure them that Landauer has acted swiftly to secure its servers and that, since the attack, it has undertaken significant measures in connection with its UK IT network to ensure that no further information can be compromised.”
“Landauer has also arranged for the staff affected to have free access to the credit monitoring agency Experian for the next 24 months.”
This most recent data breach highlights the issue of supply chain security. Thomas Fischer, threat researcher and security advocate at Digital Guardian recognises this and comments: “The issue of supply chain security is a complex matter. Many organisations assume that both upstream and downstream business partners are secure.”
“But the question is how to validate this? Many believe that if third party suppliers and contractors are compliant to one security standard or another, they can be trusted with sensitive data. But being compliant at one point in time is not a true indication of security posture, as it doesn’t take into account any changes in the company’s infrastructure or advancements in attack techniques.”
“It is key to understand where and how internal employees and external contractors are using data. This means putting in place a consistent data protection policy and other controls to ensure that data is shared in a secure manner. This needs to include authentication, encryption and access rights, according to different roles and data types. Another important factor is user awareness, providing the right tools for users to take informed decisions when sharing and editing data.”