NHS Wales staff information stolen following security breach

"We have been informed by Velindre NHS Trust who manage the Radiation Protection Service on behalf of health boards in Wales that the third party provider of the service, Landauer, has experienced a data security attack on one of its UK servers which affects our staff,” said a representative for the Betsi Cadwaladr University Health Board

Cyberattack raises more questions regarding data security

[Cardiff, Wales] Hackers have stolen information of medical staff working in Wales from a private company’s server, the BBC reported earlier this week.

Both the Velindre NHS Trust and the Betsi Cadwaladr University Health Board revealed they were affected by the security breach, which included copying of dates of birth or National Insurance numbers of NHS staff.

Andrea Hague, Cancer Services Director at the Velindre trust, said: “Velindre NHS Trust has received notification that an unauthorised third party has illegally gained access to a data server used by one of the Trust’s IT suppliers, Landauer.

“Landauer has indicated that the breach was made on one of its UK servers, directly impacting on the Radiation Protection Service (RPS), a facility run through the Velindre Cancer Centre.”

Hague added that nearly 549 staff at the Velindre trust had been affected by the breach, which have all now been contacted to be offered advice and support; Landauer reportedly contacted the trust regarding the cyberattack on the 17th January, although the actual incident occurred in October last year.

“The reasons behind this delay in notifying us of the breach are the subject of ongoing discussions with the host company,” Hague stated.

“In accordance with the Trust Incident Reporting and Investigation Policy, a ‘No surprises’ incident report has been submitted to Welsh Government. Requirements to report to other regulatory bodies are being undertaken, as required, by the relevant individual organisation(s),” she concluded.

Growing ‘black market’

A spokesperson for the Betsi Cadwaladr University Health Board said they were also informed by the Velindre trust, which manages the Radiation Protection Service in Wales, that Landauer had ‘experienced a data security attack’ on a UK server.

"No patient information has been affected by this breach. We have contacted all the staff affected to reassure them that Landauer has acted swiftly to secure its servers and that, since the attack, it has undertaken significant measures in connection with its UK IT network to ensure that no further information can be compromised,” the representative added.

A Welsh Government spokesperson said: “We are aware of this incident and will be expecting full details of the investigation and outcome. This is an incident in a large global company holding data on individuals in many countries across the world. This problem affects individuals in England and Scotland also. NHS staff have been made aware of the situation and appropriate measures have been put in place to support them.”

Last year, Derrick Bates, Information & Cyber Security Officer for the North Cumbria Hospitals NHS Trust, talked to BJ-HC about the impact of the growing ‘black market’ of stolen healthcare data.

“With the complexity and proliferation of today's connected world attack surfaces are huge. The key is to protect to your utmost by seeing everything on the network and seeing everyone on the network, because you cannot manage what you cannot see. You must also be able to see, respond to and resist everything and everyone trying to gain access to your network,” he added.