Personal data details of thousands of Welsh NHS staff including names, dates of birth, National Insurance numbers and radiation dosage has been stolen following a breach of a third-party contractor server.
The third-party contractor, Landauer, was compromised last October, and from the system details were taken from members of staff who work with X-rays. Landauer are contracted to process the data associated with this area.
A key question of concern is when the hackers will choose to put the stolen data to use, with previous examples involving a significantly staggered time period before any further action. This was evident in recent news of leaked gamer details stolen in 2015.
Laurance Dine, Managing Principal, Investigative Response, Verizon, said: “Details on how this breach was perpetrated haven’t been disclosed, but in the coming days and weeks we will almost certainly see a great deal of speculation over how, who and why. However, what certainly isn’t new here is the five-month delay between when the incident occurred and when those affected were notified.”
Dine highlights another key area of concern, as the time between the breach and the notification of affected individuals is extensive, bringing into question how long it took before the breach was even noticed.
Rashmi Knowles, Chief Security Architect, RSA, said: “The Welsh NHS must consider itself very lucky that the EU GDPR is not yet in play. Otherwise it would be facing a colossal fine, and rightly so. The breach itself is not even the biggest issue. The most disappointing part is the way that the NHS responded to it or, more accurately, failed to respond. The EU GDPR stresses privacy by design, meaning that following bad processes is what will cause the biggest fines – as is the case here. Under the new regulations, all organisations will need to disclose within 72 hours of the breach being discovered. The five months it has taken in this case is quite frankly shocking.”