Experts On NHS Patients Have Data Exposed After Human Mistake

It has been reported that a data breach at NHS Highland has led to the personal information of 284 patients with diabetes being shared with more than 30 people. The error, which occurred on Tuesday, November 17, led to the names, dates of births, contact information, and hospital identification numbers of the patients being revealed. The information had been stored in a spreadsheet and included recorded notes of when patients attended or were offered training. NHS Highland referred itself to the Information Commissioner’s Office (ICO) over the incident the following day and has contacted patients affected via a letter.

No personal information relating to medical history was shared.

Source: https://www.pressandjournal.co.uk/fp/news/highlands/2679853/concern-as-personal-data-of-284-diabetic-patients-breached-at-nhs-highland/

Experts Comments

November 27, 2020
Paul (PJ) Norris
Senior Systems Engineer
Tripwire
This breach, however, contained in size, further confirms that unfortunately the risk of human error – whether it is sending out personal details to the wrong recipient or misconfiguring cloud storage – can never be completely eliminated. For this reason, having adequate security measures is a must for protecting data. Ensuring that each individual within the workforce has only the access necessary to do their job can help reduce the risk of a data leak occurring in this manner. Having.....Read More
This breach, however, contained in size, further confirms that unfortunately the risk of human error – whether it is sending out personal details to the wrong recipient or misconfiguring cloud storage – can never be completely eliminated. For this reason, having adequate security measures is a must for protecting data. Ensuring that each individual within the workforce has only the access necessary to do their job can help reduce the risk of a data leak occurring in this manner. Having multiple layers of security is vital to protect the data that matters.  Read Less
November 27, 2020
Martin Jartelius
CSO
Outpost24
While this incident is unfortunate, it cannot be traced to cybercriminal activity. Instead, this is simply an instance of human error and careless data security hygiene. This is all the more concerning when considering the similar issue that faced NHS England’s Test and Trace app. We are seeing too many organisations taking a lax approach to data security and the consequences are showing. No institution should be storing ultra-sensitive personal health information (PHI) or personally.....Read More
While this incident is unfortunate, it cannot be traced to cybercriminal activity. Instead, this is simply an instance of human error and careless data security hygiene. This is all the more concerning when considering the similar issue that faced NHS England’s Test and Trace app. We are seeing too many organisations taking a lax approach to data security and the consequences are showing. No institution should be storing ultra-sensitive personal health information (PHI) or personally identifiable information (PII) in plain text in a spreadsheet. While this event is being reported as a data breach, in reality, it is nothing more than a critical clerical issue. Fortunately, the data was not stolen or openly distributed, however, this is a lesson that organisations should take note of if they wish to avoid the headlines in the future.  Read Less
November 27, 2020
Javvad Malik
Security Awareness Advocate
KnowBe4
This is an unfortunate incident and healthcare records are some of the most sensitive data that people like to keep private. Due to the fact that the information was stored on a spreadsheet and easily emailed out serves as a reminder that even if organisations have good security controls, they won't be effective unless there is a culture of security and staff understand the importance of securing data. It's an organisations responsibility to inform staff of the importance of cybersecurity and .....Read More
This is an unfortunate incident and healthcare records are some of the most sensitive data that people like to keep private. Due to the fact that the information was stored on a spreadsheet and easily emailed out serves as a reminder that even if organisations have good security controls, they won't be effective unless there is a culture of security and staff understand the importance of securing data. It's an organisations responsibility to inform staff of the importance of cybersecurity and provide the tools, training, and processes needed to keep information secure.  Read Less

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.