Hospitals, healthcare providers, and health services have been inundated with security breaches, data leakages, and hacks. Inadequate data protection practices, despite the highly sensitive personal information that hospitals store, have led to a significant number of breaches. Many hospitals have also fallen prey to hackers who seek to access this personal information for lucrative exploits and identity theft.
The UK’s Information Commissioners Office reprimanded NHS Highland for a data breach that resulted in exposure of sensitive patient information. 37 patients were visibly copied into a general email detailing their access to HIV services. The ICO did not issue a fine but publicly stated the severity of this breach and the need for stronger safeguards to be put in place concerning HIV services. They also instructed healthcare services to strengthen their data protection practices.
Similarly, 11 letters from Shrewsbury and Telford Hospital (SaTH), detailing sensitive medical information, were sent in one envelope to a SaTH patient also awaiting contact from the hospital. The Medical Director of SaTH has stated that an investigation is underway and that preventative measures are being put in place to avoid an incident like this from repeating. These instances provide examples of poor data protection practices leading to data breaches, however, there are instances in which intentional breaches have been perpetrated.
An example of this was the recent Canberra Health Services (CHS) case, where it was found that staff intentionally sent the clinical records of 13 patients to an external organization. This breach had taken place over several years. The Australian government alerted the police and the relevant federal authorities and though this case is now under investigation, privacy campaigners have questioned how this breach could have taken place over several years, further questioning the adequacy of the data protection practices and systems in place.
Health services and hospitals are purposely sought out by hackers due to the highly sensitive nature of the information that they store. Community Health Systems, an American healthcare provider, suffered a data breach that affected 1 million patients. Sensitive patient information such as addresses and insurance information was accessed.
In an extremely malicious attack, a cybercriminal group targeted and blackmailed an American health network, Lehigh Valley, which refused to pay a ransom. The group then proceeded to post nude photos of oncology patients onto the dark web and stole the health records of more than 75,000 people.
These breaches and data leaks occurred in March 2023, showing the extent to which hospitals are vulnerable to attacks, emphasizing the importance of robust data protection practices and systems to keep highly sensitive information safe. It has been suggested that to combat this issue, instances of breaches should be thoroughly investigated to address any internal weaknesses and to limit the effect of hackers in future breach attempts. It is also apparent that some healthcare professionals lack knowledge concerning data security meaning that data breaches, however incidental in nature, will be inevitable.
(Photo by Irwan on Unsplash)