Hundreds of NHS patients and staff have had their personal data exposed to strangers after internal process failures, it has emerged this week.
Human error at NHS Highland earlier this month led to the personal information of 284 patients with diabetes being shared via email with 31 individuals, according to local reports.
Although details of medical history were not in the spreadsheet accidentally sent to the 31 people, it did apparently include names, dates of births, contact information and hospital identification numbers.
That’s more than enough to craft convincing follow-on phishing emails.
The affected patients have been contacted and the Information Commissioner’s Office (ICO) notified, although it is not the first time the trust has been found wanting. In 2018 it apparently exposed the names of over 30 patients with HIV.
“Due to the fact that the information was stored on a spreadsheet and easily emailed out serves as a reminder that even if organizations have good security controls, they will not be effective unless there is a culture of security and staff understand the importance of securing data,” argued KnowBe4 security awareness advocate, Javvad Malik.
“It is an organization’s responsibility to inform staff of the importance of cybersecurity and provide the tools, training and processes needed to keep information secure.”
The second breach was reported at Basingstoke hospital, run by Hampshire Hospitals NHS Foundation Trust in southern England.
Although reported to the ICO in July, it has only just come to light in papers published by the trust, according to local media.
This time a spreadsheet containing personal information on 1000 members of staff at the hospital was shared with senior managers.
The same hospital suffered another breach the following month, after details of a woman who suffered a stillbirth were apparently published online.
The healthcare sector suffered 214 reported data incidents in Q1 2020-21, more than any other and accounting for about 15% of the total for the period, according to the ICO.
Human error accounted for a large number of these incidents. For example, incidents involving data emailed, posted or faxed to incorrect recipients and incorrect use of BCC comprised nearly a third (30%) of the total.