The NHS frequently hits the headlines for data incidents, with some of the most prominent NHS trusts responding to situations and pledging to take action to avoid similar incidents in future. Unfortunately, however, one incident is often all it takes to adversely impact an organisation’s reputation, leading to legal liabilities and shifting attention away from improvement efforts.
More importantly, data loss events effect the trust of patients and the wider public. As the perceived custodians of patient data, ensuring public trust is critical. The NHS is increasingly requesting patient permissions to utilise their data for the purpose of research, prevention and care improvement. Equally, in our digital age, the amount of patient data held is steadily growing. It has never been more important for data protection leaders to ensure data loss prevention procedures are robust and sustainable.
The vast majority of data incidents today are the result of human error. Inbound attacks, such as Wannacry in 2017 or the Advanced Hack in 2022, are far rarer. Data mistakenly sent to the incorrect recipient, misuse of Bcc, failure to redact, and many other human errors, lead the way in causes of data loss incidents, and are far more complex to both prevent and respond to. After all, how can one prevent people from making mistakes?
In this report we investigate the various elements of a data incident resulting from human error, including the likely state of play in the run up to and aftermath of a data loss event. With insights from data protection experts in the NHS, we will uncover actionable insights on how to avoid similar incidents in the future.
Common causes of data breaches in the NHS
Consider the following three examples of common human errors which lead to vast repercussions for the organisations in question.
While the scenarios were unique, data protection professionals are quick to acknowledge that, in all instances, there were likely some common themes which lead up to the incident in question.
1. Accidental file sharing
One NHS trust saw the data of approximately 14,000 employees accidentally leaked via email. The data is believed to have been lost through an Excel file sent to hundreds of NHS managers and 24 external accounts. The document contained personal and sensitive payroll information.
2. Unauthorised platform use
In a recent investigation, the ICO found that personal information including the names, phone numbers and addresses of patients were shared via WhatsApp by 26 staff members on over 500 occasions. Images and videos, which included clinical information, were also shared.
3. Misuse of Bcc/CC
Another NHS trust was recently reprimanded when the personal email addresses of people invited to use HIV services were shared in an email to 37 people due to failure to use the blind carbon copy (bcc) function.
The run up to a breach
By Tania Palmariellodiviney, Information Governance and Data Protection Specialist
For over 17 years, I've worked with the NHS, focusing on reviewing data breaches and identifying their root causes. During this time, I have focussed on strengthening our data protection processes and ensuring patient information remains secure and confidential.
In my experience, email data breaches often fall under one of three categories:
- The misuse of the 'cc' (carbon copy) function instead of 'Bcc' (blind carbon copy)
- The accidental sharing of personally identifiable information in attachments, particularly Excel spreadsheets with ‘hidden’ tabs
- Mistakenly sending emails to the wrong recipient as a result of the autofill function
The list goes on, but the results of such human errors are the same, leading to the unintentional exposure of patient or staff personal data. And, when these mistakes occur, there are a range of consequences for both the individuals involved and the NHS organisation.
Interestingly, the root causes of breaches involving “disclosure in error by email” were almost always identical. These issues were less about individuals being unaware that they should not have committed the action and more about the lack of appropriate tools, prevalent workarounds, and intense work pressures.
Teams facing particularly intense work pressures naturally experienced the highest number of incidents; these were the same teams who expressed a need for me to emphasise in my Leadership Team reports that they required more resources and better tools, rather than additional pressure.
It doesn't matter in which environment, whether in the NHS, education, commercial organisations or charities - it is always the same picture. Email has been around for years and years, and the issues around email and data loss incidents still haven’t been resolved. While there have been a number of security tools brought in to protect it, employees continue to face the same issues.
In one organisation I worked with, it took one year to draft an email security policy. Even such a simple policy took a long time to implement because combating human error felt like an impossible task. The tools we had weren’t robust enough to prevent it. Even though we could encrypt emails, employees could still send it to the wrong person.
Encryption is the minimum - it's a defence and, by law, enabling encryption ensures we can say we've done what we could. But the bottom line is that employees want a tool to support them in behaving securely. They want to be empowered to share sensitive patient data safely; administrative teams, too, want to be able to work efficiently, quickly, but safely. The tools within reach, historically, do not help people - they hinder them.
Historically, when we did a root-cause analysis on data breaches, the results were often the same: the employee(s) involved were overworked, over-stretched, and they were under great amounts of pressure. Technology needs to empower healthcare staff to deliver the best patient care. The fact is, as proven by increasing data incidents, the technology we require healthcare staff to use is often having the opposite effect.
As a data security professional, I have trialed many different measures to prevent data incidents. We have put posters up to prompt people to think twice before pressing ‘send’. We have encouraged the ‘triple check’ approach, or the three second rule. However, people are quick to remind us that they don’t have three seconds to pause to check before sending an email. They are working under great time restraints and their priority, rightly so, is delivering effective patient care; they are not digital security experts.
The bottom line is that whatever we did as data protection professionals, it was just not good enough. And that is why NHS organisations continue to experience data loss events - the measures we have trialed, and the technology we have historically used, don’t meet the needs of people. We must start with the requirements of our people, and understand the challenges they are facing, to ensure the measures we take in future are designed to empower the user to avoid the leading causes of data incidents. Only then can we hope to see events like these decrease.
Following a data breach
By Barry Moult, Info Gov/Privacy Consultant, Director at BJM IG Privacy Ltd
Following years spent in information governance at a number of NHS organisations, I now work closely as a consultant to those responsible for the digital and data protection strategies at healthcare organisations across the UK. Unfortunately, even with all our efforts, incidents occur and information governance leaders must react quickly.
It goes without saying that data breaches can be very stressful for the individuals and organisations involved. There is a lot to consider following an incident, including:
- The individual involved may feel failure, guilt, and lots of other emotions in the wake of a data incident, particularly if the mistake was caused by human error (and not of malicious intent, for example). The organisation needs to be aware of the impact on that individual, and provide support where needed.
- Every data breach may have varying consequences for the individuals whose data has been lost. organisations have a duty of candor and must inform the individual in an open and transparent way.
- Not all data breaches are reportable to the Information Commissioner's Office. organisations may use the ICO’s risk matrix to determine if an incident must be reported to the ICO. If the organisation determines it is not reportable, the reasons and rationale must be documented.
It is also important to note that a breach can be reported and, after further investigation, can be removed. Not all data breaches, or in some circumstances data incidents (near misses), are reportable to the ICO. For example:
- If a GP Practice sends a letter to the wrong practice (deemed as a ‘trusted partner’)
- If the potential breach was contained i.e a letter retrieved from the post room, or an email is recalled (effectively) before it was read.
- If an encrypted mobile device was lost or stolen.
- If the breach is unlikely to cause ‘significant’ harm. This can be a difficult judgment to make as the impact of an incident is often subjective. The decision and rationale must be recorded.
- All data breaches (including ‘near misses’) must be investigated, actioned, and learned from. Action must be taken immediately to mitigate any further breaches or escalation. This can include:
b. Pulling the plug on an IT system
c. Suspension of a member of staff, and other immediate mitigations
From experience, to gain actionable insights and experience from incidents, there are some key questions to ask:
- Policy: What does the relevant security policy(s) state must be done or not done? Is the policy clear and robust? If not, this is an opportunity to make any necessary adaptations to avoid similar incidents in future. Afterall, there is no need to wait for the next ‘official’ review date. Take action to change it now. Following a reported data breach, the ICO may ask for a copy of relevant policies and these must be up to date and fit for purpose.
- Training: Is your security awareness training up to scratch? There is good and bad training and it is important to reassess the training delivered, whether it is eLearning or face to face. Does it cover the risks in processing data? Consider the data breach in question and question whether mitigation actions are covered in the training. I would also ask a relevant person to assess the training. For example, if it was a cyber breach, ask your cyber lead to review and make suggestions.
- Processes: Is the processing of data an issue? I’ve regularly heard the statement, “We have always done it this way”. This is a risky trap to fall into. What might have been good practice last year, may not be ideal today. Be open to change and adapt processes where necessary.
- Legislative changes: I also advise staying up to date with UK GDPR principles, including retention (storage) limitations. Consider whether the breach could have been avoided if the data had not been kept for as long, or whether more data was collected or shared than initially was required or agreed. Is the organisation meeting its requirement to be lawful, fair and transparent, as required by the GDPR?
- Mitigations: Investigate the state of your tech stack; is software out of date? Again, what may have been adequate when first purchased may need reviewing after a period of time; technology is always changing, after all, and what may not have been available to meet your organisation’s requirements at one point in time may be available to you now. organisations need to consider the right tools to help with risk mitigation as well as client service.
- Communication: It's all well and good taking actions and learning lessons, but that can be of little value if the lessons learnt are not communicated to all staff. Reports of data breaches (incidents) must be reported to the Board/Senior Management Team, who have collective responsibility for ensuring that UK GDPR Article 32 is complied with (refer to Chapter 4 - Article 32 | UK GDPR (uk-gdpr.org))
- Data Protection Impact Assessment: The organisation needs to consider completing or reviewing a DPIA. Following the data breach, new risks are likely to have been identified that have previously been missed or unconsidered (refer to Risks and data protection impact assessments (DPIAs) | ICO).
- Other considerations: Data loss events can occur for any number of reasons, including software corruption, power supply outage, flood, fire etc. None-availability of data can impact service delivery (refer to The NIS Regulations 2018 - GOV.UK (www.gov.uk)
- Deep dive: I recommend to all my clients that a six monthly or annual ‘deep dive’ is carried out on all reported or ‘near miss’ incidents. This will enable organisations to identify any particular staff groups, departments, processes or systems that need special attention. This would also include reviewing the corporate risk register.
How to take a preventative approach to data security
It isn’t rare for a trust to hit the headlines before seeking out a solution to ensure they avoid similar incidents in future. We see a number of organisations (in both the public and private healthcare sector) turning to Zivver in the wake of a data loss event.
- Human error prevention tools to avoid Bcc/CC errors, autocorrect mistakes, and accidental sharing of sensitive data in files and email
- Recall functionality you can rely on, without time limits, and expirations controls
- Large file transfer capability, up to 5TB
- Simple recipient experience, with MFA controls. Users don’t need to create Zivver accounts to access sensitive data.
Zivver seamlessly integrates with M365 and Outlook, empowering users to email securely from their familiar email environment. In short, we enable healthcare staff to focus on the job at hand with simple, effective security tools.
Learn more about Zivver for NHS Trusts.
Last updated - 15/09/23