It has been reported that a data breach at NHS Highland has led to the personal information of 284 patients with diabetes being shared with more than 30 people. The error, which occurred on Tuesday, November 17, led to the names, dates of births, contact information, and hospital identification numbers of the patients being revealed. The information had been stored in a spreadsheet and included recorded notes of when patients attended or were offered training. NHS Highland referred itself to the Information Commissioner’s Office (ICO) over the incident the following day and has contacted patients affected via a letter.
No personal information relating to medical history was shared.
This is an unfortunate incident and healthcare records are some of the most sensitive data that people like to keep private.
Due to the fact that the information was stored on a spreadsheet and easily emailed out serves as a reminder that even if organisations have good security controls, they won\’t be effective unless there is a culture of security and staff understand the importance of securing data. It\’s an organisations responsibility to inform staff of the importance of cybersecurity and provide the tools, training, and processes needed to keep information secure.
While this incident is unfortunate, it cannot be traced to cybercriminal activity. Instead, this is simply an instance of human error and careless data security hygiene. This is all the more concerning when considering the similar issue that faced NHS England’s Test and Trace app. We are seeing too many organisations taking a lax approach to data security and the consequences are showing. No institution should be storing ultra-sensitive personal health information (PHI) or personally identifiable information (PII) in plain text in a spreadsheet. While this event is being reported as a data breach, in reality, it is nothing more than a critical clerical issue. Fortunately, the data was not stolen or openly distributed, however, this is a lesson that organisations should take note of if they wish to avoid the headlines in the future.
This breach, however, contained in size, further confirms that unfortunately the risk of human error – whether it is sending out personal details to the wrong recipient or misconfiguring cloud storage – can never be completely eliminated. For this reason, having adequate security measures is a must for protecting data. Ensuring that each individual within the workforce has only the access necessary to do their job can help reduce the risk of a data leak occurring in this manner. Having multiple layers of security is vital to protect the data that matters.