A hacker reportedly stole personal details including names, birthdates, national insurance numbers and radiation doses from Welsh NHS medical staff.
NHS Wales said that not every staff member was impacted in the same way since a different combination of data was being held on each staffer. Over 500 people working at Velindre NHS Trust and 654 at Betsi Cadwaladr University Health Board were victimised.
The Welsh NHS stated the data breach was “deeply disappointing”. Staff members were reportedly told of the incident in early March even though it first occurred in October last year.
Landauer told Velindre Hospital of the breach 4 January: “We are writing to inform you of a recent data security attack that was made on one of Landauer's UK servers. An unknown third party was able to install malware onto the server which made a copy of data.”
Andrea Hague, director at the Velindre NHS Trust said the delay in notification was due to “ongoing discussions with the host company”.
Velindre NHS Trust is carrying out a full investigation and working with Landauer to prevent any future breaches.
A spokesman for Betsi Cadwaladr health board said, “No patient information has been affected, 654 of our staff, current and past, have been affected by this security breach.
“We have contacted all the staff to reassure them that Landauer has acted swiftly to secure its servers and that, since the attack, it has undertaken significant measures in connection with its UK IT network to ensure that no further information can be compromised.”
Concerned about the months-long delay in advising affected medical professionals of their stolen data, Darren Millar, politician for the Clywd West constituency said, “This really is an astonishing data security breach. You've got thousands of NHS workers who've had their personal details compromised. The delays in informing those who've been affected are completely unacceptable.”
Lee Munson, security researcher at Comparitech.com commented: “The theft of personal information from Welsh medical staff highlights, once again, how a third party can be responsible for an organisation becoming breached. While the details of the attack are not yet clear, compromised staff may be asking whether the Velindre NHS Trust had appropriate access control measures in place, along with an appropriate set of security policies.
“The victims of this attack, at least one of which mistakenly believes they will not be targeted any time soon, despite the fact that it occurred five months ago, will need to be on the lookout for phishing attacks and suspicious activity surrounding their bank and credit card accounts. Identity theft should also be a real concern and they should already be taking the necessary steps to prevent long-term damage from this breach.”