ICO making enquiries into Landauer breach of NHS staff data

The Information Commissioner Office “is making enquiries” into the hack of a US company that has compromised the privacy of thousands of NHS staff at all nine health boards and trusts in Wales.

Over 3,000 NHS Wales staff are the latest victims of the data breach at US company Landauer, with their names, dates of birth, radiation doses and NI numbers stolen from one of the company’s UK computer servers.

Reported by the BBC on Monday, it follows earlier revelations from last month that the NHS staff in Scotland and England staff have been affected.

The company failed to informed any of the affected organisations until months after the hack.

An ICO spokesperson said in a statement to Digital Health News that: “We are aware of this incident and are making enquiries”.

“The organisations impacted should be informing staff if they have been affected.”

She added that there are tips to guard against identity theft on the ICO’s website.

Staff working with X-rays monitor their exposure through radiation dose meter badges. Many NHS organisation contract Landauer to process this data.

A spokeswoman for Velindre NHS Trust that co-ordinates the badges in Wales said 3,423 NHS Wales individuals have been affected and 1,343 non-NHS staff, which may include private hospitals, dental surgeries, veterinary practices and airport screening staff.

Andrea Hague, Velindre’s cancer services director, said in a statement that “while this breach is not within Velindre’s own managed systems, this serious incident is, nonetheless, deeply disappointing”.

Hague said the hack occurred in October but she was not informed until 17 January.

“The reasons behind this delay in notifying us of the breach are the subject of ongoing discussions with the host company.”

Velindre NHS Trust said at least 530 of its own staff were affected, and all have been informed.

A Welsh government spokesperson said in a statement to Digital Health News that it was also aware of the incident and “will be expecting full details on the investigation and outcome”.

The Velindre spokeswoman said Landauer will continue working with the trust “until a standard retendering process is undertaken, in line with trust policy”.

The news comes after Digital Health News reported last month that the personal data of at least 293 Scottish NHS staff, held by Landauer, was compromised.

Nine NHS health boards in Scotland have contracts with Landauer.

England has not been immune from the breach, with staff at the Royal Bournemouth Hospital reporting their data has been compromised earlier this month.

In a statement provided to Digital Health News at the time, a Government spokesperson said NHS Digital was working with affected organisation to handle with the “external breach”.

“This government takes digital security extremely seriously.”

The spokesman said there was growing cyber threat across the UK and support was available through the newly established National Cyber Security Centre.

NHS staff that have been affected by the “unlawful access” of their “limited personal details” have been offered free identity theft support for 12 months.

Commenting on the latest revelations, Thomas Fischer, global security advocate at Digital Guardian, said the issue of supply chain security is complex.

“It is key to understand where and how internal employees and external contractors are using data. This means putting in place a consistent data protection policy and other controls to ensure that data is shared in a secure manner.”