The personal information of thousands of health workers in Wales has been stolen in a data breach affecting an IT supplier. NHS England and Scotland have also been affected to a lesser extent.
More than 1,000 staff in two NHS trusts, Velindre and Betsi Cadwaladr University Health Board, had their names, dates of birth, radiation doses and National Insurance numbers stolen. The breach primarily affects current and former staff working with with X-rays, such as radiographers, as well as cleaners and students.
The organisation in question, Landauer, provides ionising radiation monitoring services. Velindre NHS Trust said Landauer experienced a data breach on 6 October 2016, but that it didn't make contact with the trust, which manages the Radiation Protection Service on behalf of all Welsh health boards, until 17 January this year.
There was an even longer delay in telling affected staff, however, who were only contacted in "the last few weeks", according to BBC Good Morning Wales, which broke the story. The programme said managers in the health service will be investigating the reason for the delay.
Betsi Cadwaladr University Health Board said in a statement: "We have been informed by Velindre NHS Trust who manage the Radiation Protection Service on behalf of health boards in Wales that the third party provider of the service, Landauer, has experienced a data security attack on one of its UK servers which affects our staff.
"No patient information has been affected by this breach. We have contacted all the staff affected to reassure them that Landauer has acted swiftly to secure its servers and that, since the attack, it has undertaken significant measures in connection with its UK IT network to ensure that no further information can be compromised."
Velindre cancer services director, Andrea Hague, said: "Velindre NHS Trust has identified around 530 of its own staff affected by the breach and we have written to all those involved.
"Notification of the data breach was received by the Trust on 17 January this year, but it is understood that the actual incident happened in October 2016. The reasons behind this delay in notifying us of the breach are the subject of ongoing discussions with the host company."
The Welsh government, meanwhile, said it is aware of the incident "and will be expecting full details of the investigation and outcome" and the UK's data privacy watchdog, the Information Commissioner's Office, said it is aware of this incident and making enquiries.
IT Pro has contacted NHS England, NHS Scotland and Landauer for comment, but they had not responded at the time of publication.
-
Should AI PCs be part of your next hardware refresh?AI PCs are fast becoming a business staple and a surefire way to future-proof your business
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
NHS supplier hit with £3m fine for security failings that led to attackNews Advanced Computer Software Group lacked MFA, comprehensive vulnerability scanning and proper patch management
-
Cyber attack delayed cancer treatment at NHS hospital
News A cyber attack at Wirral University Teaching Hospital in 2024 delayed critical cancer treatment for patients, documents show.
-
Alder Hey Children’s Hospital confirms hackers gained access to patient data through digital gateway serviceNews Europe’s busiest children’s hospital confirmed attackers were able to steal data from a compromised digital gateway service
-
Major incident declared as Merseyside hospitals hit by cyber attackNews The incident, which has led to cancelled appointments, is just the latest in a series of attacks on healthcare organizations
-
Thousands of procedures canceled at London hospitals as Qilin releases blood test dataNews The attack on blood testing company Synnovis continues to affect patients, while the ransomware group follows through with its threats
-
Ransomware group threatens to publish 3TB of stolen NHS Scotland data after posting proof of attackNews NHS Dumfries and Galloway has confirmed some of the sensitive data stolen during the 15 March attack has been published by a known ransomware operator
-
Attack on third-party software vendor disrupts NHS ambulance servicesNews The ambulance services serve more than 10 million people across the south of England
-
NHS data leak raises ‘serious questions’ about Manchester University cyber attackNews NHS patient data used for research purposes is believed to have been compromised in the June attack
