A security breach at an NHS IT contractor has exposed the personal details of thousands of staff working across the NHS in Wales, including their names, addresses, dates of birth and National Insurance numbers. The data spill puts the staff at risk of identity fraud.
The contractor Landauer has admitted the attack and offered free access to credit monitoring agency Experian for 24 months in response.
The BBC reports that the breach of Landauer, which processes data on behalf of the Welsh NHS, has also exposed the radiation exposures of staff who work with x-rays.
The Welsh NHS, which described the breach as "deeply disappointing", has confirmed that radiographers, cleaners and other staff at health boards across Wales have been affected, including around 530 staffers working for the Velindre NHS Trust.
The hack also exposed 'some' personal details of 654 employees from the Betsi Cadwaladr University Health Board.
A spokesman for the Betsi Cadwaladr health board told the BBC: "No patient information has been affected, [but] 654 of our staff, current and past, have been affected by this security breach.
"We have contacted all the staff affected to reassure them that Landauer has acted swiftly to secure its servers and that, since the attack, it has undertaken significant measures in connection with its UK IT network to ensure that no further information can be compromised.
"Landauer has also arranged for the staff affected to have free access to the credit monitoring agency Experian for the next 24 months."
A number of people working for private dentists and vets, and NHS staff in England and Scotland were also affected by the breach.
The hack on Landauer took place in October, but the report claims that NHS staffers were not told until early March.
Andrea Hague, cancer services director at the Velindre health trust, commented: "The reasons behind this delay in notifying us of the breach is the subject of ongoing discussions with the host company."
Thomas Fischer, threat researcher and security advocate at Digital Guardian, said this breach highlights the importance for firms to understand how external contractors are using their data.
"Many believe that if third party suppliers and contractors are compliant to one security standard or another, they can be trusted with sensitive data. But being compliant at one point in time is not a true indication of security posture, as it doesn't take into account any changes in the company's infrastructure or advancements in attack techniques," he said.
"It is key to understand where and how internal employees and external contractors are using data. This means putting in place a consistent data protection policy and other controls to ensure that data is shared in a secure manner. This needs to include authentication, encryption and access rights, according to different roles and data types.
"Another important factor is user awareness, providing the right tools for users to take informed decisions when sharing and editing data."
Dr Kuan Hon criticises GDPR consent emails that will only eviscerate marketing databases and 'media misinformation'
Apple squashes Steam Link app on 'business conflicts' grounds
Philip Hammond wants to forget rules that the UK agreed with the EU to ban non-European companies from the satellites
Instapaper to 'go dark' in Europe until it can work out GDPR compliance