Personal data from tens of thousands of people has been leaked in a massive NHS patient data breach. The sensitivity of the breached data, which includes details of medical procedures for patients including children, mean the incident could lead to criminal proceedings, experts told Tech Monitor.
Names, addresses and phone numbers of “tens of thousands” of patients were included in the cache of documents, as well test results for cervical screenings and letters to parents detailing urgent surgery for their children, according to the Mail on Sunday, which first reported the breach.
The information was reportedly leaked PSL Print Management, a Preston-based consultancy firm, which manages the “print, fulfilment and dispatch of more than ten million items of sensitive patient letters on behalf of over two hundred NHS organisations.” The company’s NHS contracts are worth several million pounds, according to the Mail.
An NHS spokesman said information on the incident had been passed to the Information Commissioner’s Office (ICO), which on Sunday announced it was opening an investigation.
NHS patient data breach: what happened?
The breach occurred when a PSL employee, who was in dispute with the company, requested all emails and texts relating to their employment, the Mail reports. They were sent a memory stick appearing to contain the firm’s entire email server, including thousands of letters attached to emails between PSL staff and another printing firm, Datagraphic.
A breach of this level, containing such sensitive data, could result in a hefty fine, says Toni Vitale, partner at law firm Gatelely. “Those attachments should have all been encrypted,” he says. “Granting access to the server should have had numerous amounts of double security measures added to it. I would be very surprised if the fine was less than five figures.”
Due to the sensitivity of the data and the possible flouting of GDPR, criminal proceedings could also follow. “The taking of data without the permission of the data controller, even if it’s a mistake like this, can amount to a criminal offence under section 170 of the Data Protection Act,” Vitale says.
This sort of breach can cause significant psychological harm, explains Lydia Kostopoulos, SVP for emerging tech insights at security awareness platform KnowBe4. “Such leaked data can cause tremendous distress to those whose medical privacy has been violated, it could tarnish the trust patients have in the NHS, and could even lead to identity theft,” she says.
Some information on the email server reportedly dates back to 2015, which could constitute a further breach, says GDPR consultant Tim Turner, because medical information is only supposed to be kept for as long as treatment is active. “The NHS can keep those records for a long time because they’re providing treatment [but] the printers just don’t need them,” Turner says.
Who is liable for the NHS patient data breach?
The contract between the NHS and PSL is likely to guide the ICO’s assessment of who is responsible, Turner says. “I think the one thing that is important is to know what the company was told to do,” he argues. “This could be a bunch of NHS bodies doing the right thing and then the contractor not operating as they should, or it could be that the NHS is not checking and not giving the right assurances in the first place.”
Leaks that are due to human error are common and dealt with regularly by the ICO, says Andy Norton, European cyber risk officer at security company Armis. “The vast majority of issues reported to the ICO are attributed to non-cyber ‘human-error’ root causes,” he says. “This may well be another example of an unfortunate and potentially costly mistake. Trusts, social care providers and commercial entities that handle NHS data need to comply with the Data Security and Protection Toolkit (DSPT). This is clearly a breach of the guidance in that framework.”
The leak follows an investigation last week carried out under the Freedom of Information Act, which found that an average of two NHS staff per day are being penalised for mishandling files and spying on patient records. This could call into question the data handling procedures at the NHS, says Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows.
“It is possible that their data handling procedures are either not adequately documented or otherwise not seen as a requirement by staff and contracted employers,” Morgan says. “Every employee should understand and respect the values emphasized by an organisation’s security culture, which includes compliance, proactivity, and understanding of how to identify and report risky behaviours.”
“The aftermath of the incident should include a robust risk assessment of the data handling and transmission procedures being used across the NHS, which may identify areas of improvement,” Morgan adds.