igor - Fotolia

HIV clinic data breach shows lessons not learned

The latest NHS data breach comes after repeated warnings in recent years by the ICO about the risk of disclosing personal data through poor email practices

The accidental disclosure of the names and addresses of 780 people by the 56 Dean Street clinic in London shows data breach lessons of the past are not being learned, say security advisors.

The clinic was forced to apologise after the contact details of subscribers to its newsletter were shared with all other recipients, many of whom are living with HIV.

Health secretary Jeremy Hunt said the breach was “completely unacceptable” and has ordered an inquiry into how the NHS handles confidential medical information, reports the Guardian.

The Care Quality Commission is to review the effectiveness of existing data security measures in the NHS and recommend improvements to reduce the risk of inadvertent data disclosures.

The review will also look at how the NHS can improve defences against cyber attacks.

News of the breach coincides with an announcement by the Health and Social Care Information Centre (HSCIC) that it has set up a cyber security service to manage risks to data in health and care.

The care computing emergency response team (CareCERT), which aims to enhance cyber resilience across health and social care, is expected to be fully operational from January 2016.

Within hours of the 56 Dean Street breach, the clinic set up a helpline and sent patients an apology from Alan McOwan, director for sexual health at the Chelsea and Westminster hospital NHS trust.

He said the email had been recalled as soon as the error was identified and promised steps would be taken to ensure it never happens again.

The information commissioner’s office (ICO), which has documented several similar email-related breaches of personal data, said it was aware of the incident and was making inquiries.

The latest data breach of this kind comes after repeated warnings by the ICO about the risk of disclosing personal data through poor email practices.

According to the ICO, the most common data breaches in NHS organisations include personal data being posted or faxed incorrectly to individuals or third parties; the loss and theft of paperwork; emails being sent to the wrong recipients; loss and theft of unencrypted devices; and a failure to redact third-party data in documents before their release.

“We keep seeing breaches of these kinds occur, which is particularly frustrating when lessons could have been learned from similar breaches to improve employee education on data protection and best practice when handling sensitive information,” said Tony Pepper, chief executive of data security firm Egress Software Technologies.

“While many organisations already have top-down policies and procedures in place, it is clear staff are often not following these rules. Consequently, matching policy with smart information security technology is the best way to protect against human error,” he said.

Jacob Ginsberg, senior director at security firm Echoworx, said this breach is all the more tragic because it could have been prevented by having the right policies and technology in place.

“Health care institutions need systems that provide complete visibility and control over the distribution of email and sensitive corporate documents so they can ensure the protection of their patients’ personal information,” he said.

Ginsberg said security systems such as gateway encryption can scan email for sensitive content and automatically apply policy to stop data leaks before they start.

“The ubiquitous nature of the internet makes it easy for confidential information to find its way into the wrong hands. The security of data online must be viewed as a priority by everyone, especially in the health care sector,” he said.  

Luke Brown, vice-president and general manager for Digital Guardian in Europe, said there have been several similar breaches in the past year.

“While businesses often recover, it’s the victims that continue to pay the price. A simple mistake like this can have life-altering effects for those caught in the middle,” he said.

Brown said not only has 56 Dean Street revealed its customers’ medical diagnosis, but by not carefully protecting their data, their customers’ life insurance, employment opportunities and many other areas of their lives could be affected.

“Data protection should be of the upmost importance in environments like this. Unfortunately recent research by the Online Trust Alliance found almost one-third of data losses are caused by staff – whether done maliciously or accidentally. Looking within your organisation for potential threats to data security is imperative,” he said.

According to Brown, human error is something many organisations forget about when working with sensitive data.

“It could be misplacing a USB stick or failing to conceal the recipients of a group email, as in this case. Organisations should be prioritising data protection and aiming to combat human error so simple mistakes like this don’t happen again,” he said.

Read more about NHS data breaches

Read more on Privacy and data protection