Breach Notification , Incident & Breach Response , Managed Detection & Response (MDR)

Britain's NHS Loses Health Data, Again

More than 3,000 National Health Service patients in England recently received a letter warning them that a data breach recently exposed their personal information.

See Also: Why Active Directory (AD) Protection Matters

The breach notification was issued by East Sussex Healthcare NHS Trust, which tells Information Security Media Group that it discovered the breach when a member of the public found a memory stick in a parking lot that contained personal information relating to more than 3,000 patients. The data was not encrypted.

"Our investigation to date has shown that the data stick belonged to an individual member of staff and was not compliant with trust policy," Darren Grayson, chief executive of East Sussex Healthcare NHS Trust, says in a statement.

East Sussex Healthcare NHS Trust, based in southeast England, is one of 90 regional health trusts that comprise the NHS.

In the wake of the breach, the Trust has now issued the usual post-breach bromides. "We have written to each of the patients whose information was on the data stick individually to apologize and make them aware of the incident and the actions the Trust will be taking," Grayson says. "I would like to reassure all patients that the Trust takes the security of their personal information extremely seriously."

A spokesman for the Trust was not able to immediately describe what information had been on the lost USB device. The type of information exposed also was not included in the breach-notification letter sent to affected patients, the spokesman says. Instead, the letter told patients that they could request to see copies of whatever personal information about them was being stored on the device.

Need to Enforce Policies

Brian Honan, CEO of Dublin-based BH Consulting, and a cybersecurity adviser to Europol, notes that creating a security policy does not mean it is begin enforced. "Policies by themselves are not effective controls to prevent a security breach. They merely outline the aspirations, guidelines and behaviors expected of people," he tells ISMG.

That's why security experts have long recommended backing all security-related policies with controls that enforce desired behaviors. "Effective security requires technical controls to enforce policies, to help prevent breaches, and to detect when the policies fail," Honan says. "Management supervision and enforcement of policies is equally important - together with effective security awareness training."

ICO Cites Poor NHS Performance

A spokeswoman for the Information Commissioner's Office, which enforces the U.K.'s privacy regulations, tells Information Security Media Group: "We are aware of this incident and we will be making enquiries."

The ICO's annual report, released in June, notes that from April 2014 to March 2015, the ICO cataloged 1,677 self-reported data breach incidents, of which the most - 439 incidents - were reported by the health sector, followed distantly by local government, which self-reported 125 incidents.

In February, however, the ICO was given new powers to audit the NHS, and said it planned to institute proactive and compulsory information security reviews.

"The Health Service holds some of the most sensitive personal information available, but instead of leading the way in how it looks after that information, the NHS is one of the worst performers. This is a major cause for concern," U.K. Information Commissioner Christopher Graham said in February.

"Time and time again we see data breaches caused by poor procedures and insufficient training. It simply isn't good enough," he said. "We fine these organizations when they get it wrong, but this new power to force our way into the worst-performing parts of the health sector will give us a chance to act before a breach happens. It's a reassuring step for patients."