NHS Error Exposes Data on Hundreds of Patients and Staff

Hundreds of NHS patients and staff have had their personal data exposed to strangers after internal process failures, it has emerged this week.

Human error at NHS Highland earlier this month led to the personal information of 284 patients with diabetes being shared via email with 31 individuals, according to local reports.

Although details of medical history were not in the spreadsheet accidentally sent to the 31 people, it did apparently include names, dates of births, contact information and hospital identification numbers.

That’s more than enough to craft convincing follow-on phishing emails.

The affected patients have been contacted and the Information Commissioner’s Office (ICO) notified, although it is not the first time the trust has been found wanting. In 2018 it apparently exposed the names of over 30 patients with HIV.

“Due to the fact that the information was stored on a spreadsheet and easily emailed out serves as a reminder that even if organizations have good security controls, they will not be effective unless there is a culture of security and staff understand the importance of securing data,” argued KnowBe4 security awareness advocate, Javvad Malik.

“It is an organization’s responsibility to inform staff of the importance of cybersecurity and provide the tools, training and processes needed to keep information secure.”

The second breach was reported at Basingstoke hospital, run by Hampshire Hospitals NHS Foundation Trust in southern England.

Although reported to the ICO in July, it has only just come to light in papers published by the trust, accord ..

Support the originator by clicking the read the rest link below.