When medical information is sent to the wrong person, it can be devastating for medical professionals and patients. It is reported that, between 2019 and 2021, there were around 3,557 personal data breaches within the NHS, leading to a lack of trust as well as a number of court cases.
As well as a breach of confidentiality, this also contravenes GDPR laws which can result in lengthy and expensive legal action. In this article, we’ll look at what medical data breaches are and how they happen.
What is a Medical Data Breach?
A medical data breach occurs when private or confidential information about a patient is shared or published. A breach can be inadvertent i.e, information is shared by accident or deliberate, whereby the breach occurs through an act of maliciousness or cybercrime.
Although not highly publicised (for obvious reasons), there have been a few incidences of data breaches relating to the NHS involving some high-profile companies, including Virgin Care, GlaxoSmithKline and the Imperial College London, according to audits by NHS Digital.
In the case of Virgin Care, it’s thought that the NHS released identifiable patient data to be Virgin Care without permission from NHS Digital, including data concerning children, learning difficulties and diagnostic imaging.
How Do Medical Data Breaches Happen?
Photo by Li Lin
Medical data breaches can occur in a number of different ways, in this section, we’ll discuss some of these:
Cyber Attacks
A medical data breach can happen as a result of cyber attack such as hacking or phishing. This is where a person actively and knowingly acquires personal or confidential data in order to use this for their own benefit.
Such benefits may include identity theft or the stealing of financial information for their own gain. Although there are no recorded cases of data breach cyber-attacks against the NHS, cybercrime is a growing problem in the UK with around 1.6 million incidents of cybercrime every year.
Another form of a data breach through cybercrime is phishing, whereby a criminal will target the email accounts of medical staff in order to gain access to systems and servers.
These attacks are often facilitated by the fact that the hospital or medical facility has old or unpatched security vulnerabilities which serve as an open door to hackers and cybercriminals.
Human Error
Photo by Elisa Ventur
They say that ‘to err is human’ and sadly, a lot of medical data breaches are caused by simple human error. This can occur in a number of ways, including:
- Email – An employee may inadvertently send an email containing personal data to the wrong recipient. This can happen (and frequently does) through selecting the wrong address from a drop-down list or by typing the address incorrectly.
- Passwords – When an employee fails to adequately protect his or her login and password information, it can leave a hospital or medical organisation vulnerable to a data breach.
- Insecure links – We mentioned phishing earlier in this article and this kind of attack can occur when an employee clicks onto a link contained within an email.
Employee Espionage
While it is possible for an employee to inadvertently cause a data breach, it’s also possible, sadly, for this to be a deliberate act. Some cases of medical data breach happen when an employee deliberately and knowingly shares or publishes information either for self-gain or as a form of revenge against their employer.
Physical Theft
Since the COVID-19 pandemic, a significant number of employees have been either working from home or working a hybrid model – the latter of which means that the employee will often be transporting their laptop or device between work and home.
While this can be a convenient and rewarding way of working, it can also leave the employee vulnerable to the theft or robbery of their device. This in turn, can increase the risk of a medical data breach if the device falls into the wrong hands.
The Consequences of a Medical Data Breach
A medical data breach can have some far-reaching consequences for both the medical facility and the patient, including:
For the Patient
- Identity theft – whereby a criminal will gain access to personal information such as date of birth and addresses in order to set up new accounts for themselves in another person’s name.
- Financial theft, whereby a criminal will gain access to financial information, including bank account numbers and credit / debit card details.
- Discrimination due to the publishing of an illness or medical condition.
For the Facility
- A loss of reputation.
- Compensation claims – should the patient discover that their privacy has been compromised.
- Loss of staff due to potential dismissal.
Keeping Data Safe for Patients
As cybercriminals become increasingly sophisticated and tech savvy, outdated computers and tech in hospitals are often no match for their skills. However, following the introduction of GDPR laws in 2018, it has become more important than ever for medical facilities (including GP practices) to ensure that they safeguard patient data not just on moral grounds but on legal grounds too.
Anybody who has reason to believe that their data has been compromised by a doctor, hospital, GP or other medical facility should gather as much evidence as they are able to before seeking the services of a specialist solicitor in order to find out what their options are.
Please be advised that this article is for general informational purposes only, and should not be used as a substitute for advice from a trained legal professional. Be sure to consult a lawyer/solicitor if you’re seeking advice on medical data breaches. We are not liable for risks or issues associated with using or acting upon the information on this site.
