Following the hacking of a private contractor, the staff at the National Health service in Wales had their personal details stolen by cyber attackers. Among the pieces of data stolen included their names, their dates of birth, their records working with medical technology and their national insurance numbers. Landauer, the contractor who was hacked, is in the business of providing products that keep the staff safe when using equipment with radiation. The firm also it also has interests in national security, health care and education.
On the 13th of March, the British Broadcasting Corporation (BBC) came out with a report that there had been an implanted malware that put the data of most health boards in Wales at risk. Among those targeted were staff who used the equipment from Landauer in monitoring their exposure levels when using radiation equipment. On the list of the people affected were 654 people on the Betsi Cadwaladr University Health Board and 500 more from the Velindre NHS Trust. The official report from the Welsh branch of the NHS is that not every member of the staff was affected since different types of data were kept on each individual.
The Velindre Hospital, which specializes in cancer treatments, received a breach notification from Landauer on the 4th of January 2017. In the notification, it was stated that “We are writing to inform you of a recent data security attack that was made on one of Landauer’s UK servers” and that “An unknown third party was able to install malware onto the server which made a copy of data.” This statement is evident that the breach must have taken place some time before it was reported to the victims.
On its part, Public Health Wales agreed that the notification for a data breach had been received as noted earlier. The institution said “This affects only a small number of our staff, who have been directly notified of the issue, and is not due to any of our own information security being breached. Our other staff and service users are unaffected by this.” It is a reassuring statement given the nature of the breach.
It took such a long time to report the hack to the affected parties, an aspect which disappointed the Welsh NHS. The data breach took place in October yet it has been reported this month (March). The director of the Velindre health trust, Andrea Hague, stated that the aspect of delaying to inform the victims of the hack was an ongoing investigation. Landauer stated that it had taken the measures needed to secure the affected parties. The affected firms are also encouraged to inform the staff members whose data has been hacked.
With these types of data breaches, people are affected to stay vigilant and report any unusual activity with their information. Checking their credit rating and any records with other firms can also make them secure.