The NHS has suffered yet another data breach thanks to inappropriate handling of sensitive data by one of their staff.
Personal details of as many as 500 NHS doctors were exposed after an internal spreadsheet containing their details was published online.
Personal details of as many as 500 specialist trainee doctors at St Helens and Knowsley Teaching Hospitals NHS Trust were exposed after an internal spreadsheet containing their sensitive and private details was published online. Details in the spreadsheet included National Insurance numbers, email addresses, and home addresses of the 500 doctors.
The NHS Trust acted quickly to remove the exposed data and informed the Information Commissioner’s Office about the breach.
“I’m glad the Trust acted so quickly [to remove the data,] but this should never have been loaded onto the website in the first place. It has left all of us potentially at risk of identity theft or fraud or worse. It’s pretty shocking,” said one of the affected doctors to the Health Service Journal.
In July, an Italian researcher at the North Middlesex University Hospital was fired after he revealed sensitive details of 31 women who had given birth at the hospital via a Facebook post. While the breach was a cause of concern, what was more worrying that it revealed details of several women who had not consented to be part of an internal programme on which the researcher was working on.
The recent data breach at St Helens and Knowsley Teaching Hospitals NHS Trustmakes it clear that merely updating outdated software in NHS hospitals will not prevent data breach as human factor continues to remain the largest vector for such leaks.
“We’re not sure that automation would remove the risk, because robots need to be programmed by competent IT managers – and it’s looking less and less like the NHS has too many available,” said Matt Lock, director of sales engineers at Varonis to V3.
In July, the ICO also found the Royal Free NHS Foundation Trust guilty for sharing sensitive data of 1.6 million patients without adequately informing patients on how their data would be used. The Trust has been ordered to conduct a privacy impact assessment which will explain how the Trust will comply with the Data Protection Act while conducting clinical safety tests.