NHS tops the list for serious data breaches last year


Whistleblowers alerted the UK's data watchdog to 20 NHS trusts, 13 local government authorities, five courts and five central government departments with reports of serious data breaches in 2014.

An extra 498 data breaches were self-reported to the Information Commissioner’s Office (ICO) by the NHS departments. Further, 148 local government departments also admitted to losing personal information, a Freedom of Information request has revealed.

The breaches ranged from losing hardware like a USB key or printed copies of patient information for example, to uploading sensitive information to websites, to technical failures and hacking.

The Department for Work and Pensions (DWP), Cafcass, the children and family’s court service, the Ministry of Justice (MoJ) and the Crown Prosecution Services were named and shamed in the file seen by ComputerworldUK.

The findings come as polling company YouGov published the results of a survey this morning that found that 72 percent of British adults are concerned about hacking and unauthorised access to their personal information online.

The broad list and volume of data breaches investigated last year alone reveal how easy it seems to be for private and public firms to lose clients or customers’ personal information.

The database, seen by ComputerworldUK, reveals the names of firms that suffered a serious breach, and were referred to the UK’s data protection body by whistleblowers. Firms that self-reported a data breach were granted anonymity.

4,200 patient records put online in error

In the health sector, various NHS trusts were named, including Gloucestershire Hospital NHS Trust and a Northern Irish hospital which had thrown out hardware without wiping patient records.

Princess Alexandra Hospital, Amberley Hall Care Home, Barnet and Chase Farm Hospitals NHS Trust, Cardiff and Vale Health Board, NHS Greater Glasgow and Clyde were named on the ICO’s enforcement team’s list to investigate.

Oxford Health NHS Foundation Trust was served undertakings – a formal and public agreement to comply with the Data Protection Act - after it put 4,200 patients’ details online and sent personal details to the wrong patients.

A file including the email addresses, user names, passwords and billing addresses was published online when a new website for its cognitive therapy arm was set live and a letter disclosing the mental health of a patient was sent to the wrong person.

Similarly, search giant Google was forced to sign an undertaking because it had not made its use of users’ browsing information, for behavioural advertising for example, clear.

Data breach trends amongst different sectors

Across all the industries within the UK there are trends in data breaches. While in 2013, financial firms were the worst offenders on the ICO's hit list, the NHS took top spot last year. It is important to note that audits for data protection compliance may have a higher threshold due to the sensitive information lenders, insurers and banks hold.

Schools and education bodies were the next most investigated, followed by local and city councils. A total of 29 data breaches were reported within central government and 24 within the police and crime departments. Within private firms, solicitors and barristers were investigated the most.

In the financial sector, whistleblowers reported four separate breaches at Santander UK, Royal Bank of Scotland, Bank of Ireland and Clydesdale Bank. In all cases the ICO put in an ‘improvement action plan’ and offered advice to ensure breaches didn’t happen again.

The NHS’ title as ‘most investigated’ for potentially serious data breaches by the ICO could be the nail in the coffin for health secretary Jeremy Hunt’s highly controversial care.data program. The scheme to feed patient records into a UK-wide data program was proposed to allow online access from any health service and to serve as an extra revenue stream for the NHS by selling anonymised information on to third parties.

Of the breaches that were self-reported, four breaches were served undertakings, highlighting their seriousness. They were in the retail, health, local government and estate agent sector.

Total data breaches investigated by the enforcement team by sector

Central government departments: 29 including the MoJ, DWP and the Post Office

Local and city councils: 159 including the Borough of Poole, Islington and Argyll and Bute Council

Charities: 53 including The National Autistic Society and Western Isles Foyer

Schools and education: 112 including Strawberry Fields Primary, Health Education England and Nunhead Primary School

Estate agents: 6

Financial advisors: 25 including Barrington Lewis for loss of an unencrypted device holding personal information.

Health: 517 including West Hertfordshire Hospitals NHS Trust

Housing: 43

Insurance: 20 including the European Risk Insurance Company that uploaded personal information to its website in error.

Police and criminal records: 24 including Disclosure and Barring Service, which was served an undertaking, and Walker Cooke solicitors.

Recruitment agencies: 8, including Badenoch and Clark and Marks Sattin Limited.

Retail: 22, including Phones 4 U

Solicitors or Barristers: 61 including Syeds Solicitors and Kirby Jones.

Telecoms: 9 breaches, including BT

Utilities: 4 including Spark Energy

Copyright © 2015 IDG Communications, Inc.

Shop Tech Products at Amazon