HIV clinic data breach shows lessons not learned

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.computerweekly.com/news/4500252881/HIV-clinic-data-breach-shows-lessons-not-learned

The accidental disclosure of the names and addresses of 780 people by the
56 Dean Street clinic in London shows data breach lessons of the past are
not being learned, say security advisors.

The clinic was forced to apologise after the contact details of subscribers
to its newsletter were shared with all other recipients, many of whom are
living with HIV.

Health secretary Jeremy Hunt said the breach was “completely unacceptable”
and has ordered an inquiry into how the NHS handles confidential medical
information, reports the Guardian.

The Care Quality Commission is to review the effectiveness of existing data
security measures in the NHS and recommend improvements to reduce the risk
of inadvertent data disclosures.

The review will also look at how the NHS can improve defences against cyber
attacks.

News of the breach coincides with an announcement by the Health and Social
Care Information Centre (HSCIC) that it has set up a cyber security service
to manage risks to data in health and care.

The care computing emergency response team (CareCERT), which aims to
enhance cyber resilience across health and social care, is expected to be
fully operational from January 2016.

Within hours of the 56 Dean Street breach, the clinic set up a helpline and
sent patients an apology from Alan McOwan, director for sexual health at
the Chelsea and Westminster hospital NHS trust.

He said the email had been recalled as soon as the error was identified and
promised steps would be taken to ensure it never happens again.

The information commissioner’s office (ICO), which has documented several
similar email-related breaches of personal data, said it was aware of the
incident and was making inquiries.

The latest data breach of this kind comes after repeated warnings by the
ICO about the risk of disclosing personal data through poor email practices.

According to the ICO, the most common data breaches in NHS organisations
include personal data being posted or faxed incorrectly to individuals or
third parties; the loss and theft of paperwork; emails being sent to the
wrong recipients; loss and theft of unencrypted devices; and a failure to
redact third-party data in documents before their release.

“We keep seeing breaches of these kinds occur, which is particularly
frustrating when lessons could have been learned from similar breaches to
improve employee education on data protection and best practice when
handling sensitive information,” said Tony Pepper, chief executive of data
security firm Egress Software Technologies.

“While many organisations already have top-down policies and procedures in
place, it is clear staff are often not following these rules. Consequently,
matching policy with smart information security technology is the best way
to protect against human error,” he said.

Jacob Ginsberg, senior director at security firm Echoworx, said this breach
is all the more tragic because it could have been prevented by having the
right policies and technology in place.

“Health care institutions need systems that provide complete visibility and
control over the distribution of email and sensitive corporate documents so
they can ensure the protection of their patients’ personal information,” he
said.

Ginsberg said security systems such as gateway encryption can scan email
for sensitive content and automatically apply policy to stop data leaks
before they start.

“The ubiquitous nature of the internet makes it easy for confidential
information to find its way into the wrong hands. The security of data
online must be viewed as a priority by everyone, especially in the health
care sector,” he said.

Luke Brown, vice-president and general manager for Digital Guardian in
Europe, said there have been several similar breaches in the past year.

“While businesses often recover, it’s the victims that continue to pay the
price. A simple mistake like this can have life-altering effects for those
caught in the middle,” he said.

Brown said not only has 56 Dean Street revealed its customers’ medical
diagnosis, but by not carefully protecting their data, their customers’
life insurance, employment opportunities and many other areas of their
lives could be affected.

“Data protection should be of the upmost importance in environments like
this. Unfortunately recent research by the Online Trust Alliance found
almost one-third of data losses are caused by staff – whether done
maliciously or accidentally. Looking within your organisation for potential
threats to data security is imperative,” he said.

According to Brown, human error is something many organisations forget
about when working with sensitive data.

“It could be misplacing a USB stick or failing to conceal the recipients of
a group email, as in this case. Organisations should be prioritising data
protection and aiming to combat human error so simple mistakes like this
don’t happen again,” he said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!