Thousands of NHS Wales employees' data stolen in massive hack

Doctor holding a clipboard

The personal information of thousands of health workers in Wales has been stolen in a data breach affecting an IT supplier. NHS England and Scotland have also been affected to a lesser extent.

More than 1,000 staff in two NHS trusts, Velindre and Betsi Cadwaladr University Health Board, had their names, dates of birth, radiation doses and National Insurance numbers stolen. The breach primarily affects current and former staff working with with X-rays, such as radiographers, as well as cleaners and students.

The organisation in question, Landauer, provides ionising radiation monitoring services. Velindre NHS Trust said Landauer experienced a data breach on 6 October 2016, but that it didn't make contact with the trust, which manages the Radiation Protection Service on behalf of all Welsh health boards, until 17 January this year.

There was an even longer delay in telling affected staff, however, who were only contacted in "the last few weeks", according to BBC Good Morning Wales, which broke the story. The programme said managers in the health service will be investigating the reason for the delay.

Betsi Cadwaladr University Health Board said in a statement: "We have been informed by Velindre NHS Trust who manage the Radiation Protection Service on behalf of health boards in Wales that the third party provider of the service, Landauer, has experienced a data security attack on one of its UK servers which affects our staff.

"No patient information has been affected by this breach. We have contacted all the staff affected to reassure them that Landauer has acted swiftly to secure its servers and that, since the attack, it has undertaken significant measures in connection with its UK IT network to ensure that no further information can be compromised."

Velindre cancer services director, Andrea Hague, said: "Velindre NHS Trust has identified around 530 of its own staff affected by the breach and we have written to all those involved.

"Notification of the data breach was received by the Trust on 17 January this year, but it is understood that the actual incident happened in October 2016. The reasons behind this delay in notifying us of the breach are the subject of ongoing discussions with the host company."

The Welsh government, meanwhile, said it is aware of the incident "and will be expecting full details of the investigation and outcome" and the UK's data privacy watchdog, the Information Commissioner's Office, said it is aware of this incident and making enquiries.

IT Pro has contacted NHS England, NHS Scotland and Landauer for comment, but they had not responded at the time of publication.

Jane McCallion
Managing Editor

Jane McCallion is ITPro's Managing Editor, specializing in data centers and enterprise IT infrastructure. Before becoming Managing Editor, she held the role of Deputy Editor and, prior to that, Features Editor, managing a pool of freelance and internal writers, while continuing to specialize in enterprise IT infrastructure, and business strategy.

Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.