Thousands of Welsh NHS staff's data stolen in hack

image copyrightGeograph/Mick Lobb
image captionVelindre NHS Trust is responsible for running the Radiation Protection Service in Wales

Details of thousands of medical staff in Wales have been stolen from a private contractor's computer server.

Names, dates of birth, radiation doses and National Insurance numbers of staff who work with X-rays were copied as hackers accessed Landauer's system.

The Welsh NHS described the data breach as "deeply disappointing" and it has started an investigation.

The Welsh Government and information commissioner have been informed and Landauer has been asked to comment.

Affected staff all use radiation dose meter badges to measure their exposure while working with X-rays.

This data is processed on behalf of the Welsh NHS by Landauer, whose computer servers were attacked.

Managers said radiographers, cleaners and other staff at most health boards in Wales are affected, including about 530 working for the Velindre NHS Trust, which co-ordinates the radiation dose meter badges in Wales.

Some 654 staff at Betsi Cadwaladr University Health Board had some personal details compromised, as well as a number of people working for private dentists and vets and NHS staff in England and Scotland.

The Welsh NHS said different combinations of personal data were copied and not everyone was affected in the same way.

One affected worker said "sometimes it feels like the whole of my life has been stolen".

"My life could be compromised at any time in the future, we just don't know what the hackers will do with this," the radiographer, who wished to remain anonymous, told BBC Radio Wales' Good Morning Wales programme.

"If they are clever, they won't use it straight away. So I'm worried something can happen in 10, five years time. Even longer."

A cyber security expert said the data breach meant personal details - including National Insurance numbers - could be used to obtain mortgages, banks loans or cars.

David Jones, of Westgate Cyber Security, said most common internet thefts focus on information such as usernames, passwords and credit card information - however, these details can be changed fairly easily by the person targeted.

"You can understand why from the bad guys' perspective, having access to this [personal] data which will always be of value is actually more interesting sometimes than a pure financial fraud," Mr Jones added.

This personal data alone would not be enough for "significant financial transactions", he said, but it could be used alongside more detailed information which is available for as little as £50 per person online.

He added: "The threat is everywhere [for every public body and company] now. It shows anyone can get at the information if they are willing to take risks.

"And the risks of getting caught on the internet we know is quite low."

'Astonishing breach'

Clwyd West AM Darren Millar said he was concerned as the breach happened in October but some staff were only formally told at the start of March.

"This really is an astonishing data security breach," he said

"You've got thousands of NHS workers who've had their personal details compromised. The delays in informing those who've been affected are completely unacceptable."

Andrea Hague, cancer services director at the Velindre health trust, said an unauthorised third party illegally gained access to a data server used by Laundauer.

The trust was told of the breach on 17 January.

"The reasons behind this delay in notifying us of the breach is the subject of ongoing discussions with the host company," Ms Hague added.

Velindre NHS Trust said it was carrying out its own full incident investigation and was working with Landauer to prevent any future breaches.

A spokesman for Betsi Cadwaladr health board said: "No patient information has been affected, 654 of our staff, current and past, have been affected by this security breach.

"We have contacted all the staff affected to reassure them that Landauer has acted swiftly to secure its servers and that, since the attack, it has undertaken significant measures in connection with its UK IT network to ensure that no further information can be compromised.

"Landauer has also arranged for the staff affected to have free access to the credit monitoring agency Experian for the next 24 months."

More on this story