Thousands of NHS staff details nicked amid IT contractor server hack

Radiation dose-measuring firm took months to let Welsh trust know

The personal information of thousands of medical staff in Wales, UK, were stolen after an IT contractor's server was hacked.

Details including names, dates of birth, national insurance numbers and radiation doses of radiography staff were stolen by hackers accessing the UK-based systems of global dosimetry company Landauer. It is understood that the breach will also affect NHS facilities in England and Scotland.

The total number of affected staff is 4,766. This figure includes 3,423 NHS Wales staff and former staff, and 1,343 non-NHS customers — including private hospitals and dentists, veterinary practices and airport screening staff.

The breach, which occurred in October 2016, affected the Radiation Protection Service (RPS) which is run by the Velindre NHS Trust in Wales. Velindre today announced the breach publicly, stating that it was itself only notified of the breach on 17 January this year, months after it had taken place, and that “the reasons behind this delay in notifying us of the breach are the subject of ongoing discussions with the host company.”

Landauer had not responded to The Register's enquiries as of publication.

Velindre reported the breach to the Welsh government and other regulatory bodies. A spokesperson for the Welsh government told The Register: “We are aware of this incident and will be expecting full details of the investigation and outcome.”

“This is an incident in a large global company holding data on individuals in many countries across the world,” stated the spokesperson. “This problem affects individuals in England and Scotland also. NHS staff have been made aware of the situation and appropriate measures have been put in place to support them.”

An ICO spokesperson said: “We are aware of this incident and are making enquiries. The organisations impacted should be informing staff if they have been affected. There are measures people can take to guard against identity theft, for instant being vigilant around items on their credit card statements or checking their credit ratings. There are more tips and information on our website.”

A spokesperson for the Betsi Cadwaladr University Health Board admitted that 654 of its own staff had been affected by the breach. “No patient information has been affected by this breach. Landauer provides ionising radiation monitoring for NHS Health Boards across the UK and holds personal information on NHS staff including names, radiation dose and in some cases, dates of birth and National Insurance numbers.”

We have contacted all the staff affected to reassure them that Landauer has acted swiftly to secure its servers and that, since the attack, it has undertaken significant measures in connection with its UK IT network to ensure that no further information can be compromised. Landauer has also arranged for the staff affected to have free access to the credit monitoring agency Experian for the next 24 months.

“We are also working closely with our Information Governance department and the Information Commissioner’s Office to ensure that the actions we have taken are in line with our requirements under the Data Protection Act 1998,” the spokesperson continued. ®

Biting the hand that feeds IT © 1998–2021