UK Watchdog Investigates 2 Data BreachesSeparate Leaks Reveal HIV Patient, Magazine Subscriber Identities
Britain's data protection watchdog, the Information Commissioner's Office, is investigating two suspected data breaches that occurred this week.
In one of the incidents, the identities of about 780 HIV and sexual health service patients were publicly released due to human error. The other incident reportedly involved some magazine subscribers' personal details being leaked via email apparently due to a software flaw.
The first of those breaches involved 56 Dean Street, a London clinic operated by the Chelsea and Westminster Hospital National Health Service Foundation Trust, which inadvertently released the names and email addresses of subscribers to its Option E service, which enables HIV-positive patients to sign up for appointments and receive test results via email.
Chelsea and Westminster Hospital NHS Trust confirmed to Information Security Media Group that the data was released due to an "administrative error." Names and email addresses that should have been hidden - by including them in the email BCC field - were instead pasted into the CC field, thus exposing the identities to all recipients. The trust says it reported the incident to the NHS.
"We can confirm that due to an administrative error, a newsletter about services at 56 Dean Street was sent to an email group rather than individual recipients," the trust says in a statement. "We have immediately contacted all the email recipients to inform them of the error and apologize."
A newsletter about services at 56 Dean Street was sent to an email group rather than individuals. We are so sorry this has happened [...]" 56 Dean Street (@56deanstreet) September 2, 2015
Health Secretary Promises Review
U.K. Health Secretary Jeremy Hunt told the annual NHS England conference in Manchester on Sept. 2 that the breach was "completely unacceptable," the Guardian reported. Hunt said that the Department of Health's Care Quality Commission, which regulates and inspects health and social care services in England, would conduct a thorough review of its data security processes, including how to protect stored information against cyber-attacks and how to prevent staff from accidentally leaking sensitive information.
"Nothing matters more to us than our own health, but we must also understand that for NHS patients, nothing matters more to them than confidence that the NHS will look after their own personal medical data with the highest standards of security," Hunt said.
Reacting to the breach, one victim told the Guardian: "I have been a patient at 56 Dean Street since moving to London five years ago, and I have always trusted them with my information. Option E is a service set up for patients who are stable and on long-term HIV treatment. It is designed to make life easier, so your results etc. are sent via email. I find it impossible to believe that in this day and age this can happen. I was able to scroll down the list and identify the names of a number of people who I knew, some of whom I was unaware of their status."
The ICO says that it is reviewing the breach.
We are aware of the incident regarding the 56 Dean Street clinic and are making enquiries" ICO (@ICOnews) September 2, 2015
Magazine Subscribers' Details Leaked
Another apparent inadvertent release of personal information occurred when British retailer WH Smith inadvertently emailed the personal details about some individuals who subscribe to magazines via the retailer.
Leaked data included names, addresses and phone numbers for the magazine subscribers, which appeared to get sent to at least hundreds of people who had been using the WH Smith website's "contact us" form, the Guardian reports.
WH Smith confirmed the problem on Sept. 2, although by later in the day posted a statement to Facebook claiming that there had been no data breach, and adding that that there had been a "systems bug," which it blamed on the third-party service provider that handles its WH Smith Magazines site. It said that the problem had been resolved and claimed that personal information for less than two dozen people had been leaked.
"We have been alerted to a systems bug by I-subscribe who manage our magazine subscriptions. This is not a data breach. We can confirm that this has impacted 22 customers," WH Smith said. "I-subscribe have (sic) immediately taken down this online form and are contacting the customers concerned to apologize for this administrative error. This issue has not impacted or compromised any customer passwords or payment details."
But multiple customers disputed WH Smith's attempt to describe the data leak as having not been a breach. "I've had multiple emails this morning disclosing other customers' personal email addresses and phone numbers," said Hannah Spink on the WH Smith Facebook page. "How can you possibly say that's not a breach!"
The ICO says that it is also reviewing this incident.
We are aware of the incident regarding WH Smiths and are making enquiries" ICO (@ICOnews) September 2, 2015
UK Data Protection Regulations
As WH Smith noted, no customer passwords or payment details appear to have been released. But the company, its third-party magazine subscription provider, or both may have violated U.K. data protection regulations, which require that "appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data," with personal data referring to any information that could be used to identify a person.
The regulations also require organizations to designate who is responsible for data protection inside the organization to ensure that the right physical and technical security controls are in place - "backed up by robust policies and procedures and reliable, well-trained staff" - and that organizations are "ready to respond to any breach of security swiftly and effectively."