Security Breach Sees Thousands Of Welsh NHS Staff Data Stolen


The data was swiped form a server being operated by an external contractor

Data belonging to thousands of staff working for the Welsh NHS has been stolen from a server run by private contractor Landauer.

Described by the Welsh NHS as “deeply disappointing”, the data breach exposed information on names, dates of birth, National Insurance numbers and radiation doses pertaining to staff working for the healthcare service in Wales.

Welsh NHS data breach

NHS SecurityThe data breach, which was found to have happened last October with the Trust alerted to it on 17 January, has affected around 530 NHS workers at the Velindre NHS Trust, which co-ordinates radiation dose meter badges in Wales.

It also exposed some personal details of 654 employees from the Betsi Cadwaladr University Health Board, according to the BBC, as well as people working as NHS staff in England and Scotland and as private dentists and vets.

Details of how the data was swiped from the server of the contactor have not yet come to light, however there is a risk that cyber criminals could use the leaded data to impersonate medical staff and commit fraud. Though the personal data alone is not expected to be enough to commit any major financial transactions.

Security shortcomings

data security breachThe security industry noted that the breach indicated more attention needs to be paid to the security practises and processes of external contractors to ensure they are up to scratch.

“The issue of supply chain security is a complex matter. Many organisations assume that both upstream and downstream business partners are secure. But the question is how to validate this?

“Many believe that if third party suppliers and contractors are compliant to one security standard or another, they can be trusted with sensitive data. But being compliant at one point in time is not a true indication of security posture, as it doesn’t take into account any changes in the company’s infrastructure or advancements in attack techniques,” said Thomas Fischer, threat researcher and security advocate at Digital Guardian.

“It is key to understand where and how internal employees and external contractors are using data. This means putting in place a consistent data protection policy and other controls to ensure that data is shared in a secure manner. This needs to include authentication, encryption and access rights, according to different roles and data types. Another important factor is user awareness, providing the right tools for users to take informed decisions when sharing and editing data.”

Rashmi Knowles, CISSP chief security architect for the EMEA region at security firm RSA, was not impressed with how the Welsh NHS handled the data breach.

“The Welsh NHS must consider itself very lucky that the EU GDPR is not yet in play. Otherwise it would be facing a colossal fine, and rightly so. The breach itself is not even the biggest issue. The most disappointing part is the way that the NHS responded to it or, more accurately, failed to respond.

“The EU GDPR stresses privacy by design, meaning that following bad processes is what will cause the biggest fines – as is the case here. Under the new regulations, all organisations will need to disclose within 72 hours of the breach being discovered. The five months it has taken in this case is quite frankly shocking,” she said.

 “The fact that this attack was via a third-party is also a timely wake up call. Just because the Welsh NHS can make the tired claim that this attack was not its fault, it is still very much its problem and liability. Throughout the NHS and in the entire public sector, third party risk should be a top priority.

“This means determining which parts of operations rely on third party relationships, which relationships pose the greatest risk, and giving those risks higher visibility, action and oversight. Thankfully no patient information has been affected, but highly sensitive employee data certainly falls into the category of high value and high risk. The NHS should have known that and acted accordingly.”

Quiz. Are you a security guru?