This month has seen a major increase in the fines levied by the Information Commissioner for breaches of the Data Protection Act. Over the last 30 days, there have been over £500,000 fined in three different breaches of the act, with £415,000 of the fines being in the last 11 days. At the moment, it seems to still be primarily public sector organisations which are feeling the brunt of the ICO, two NHS trusts and one Council.
As is so often the case, most of these fines have been the result of easily avoidable security breaches, so while they appear harsh, it is understandable that the ICO is starting lose patience and levy heavy penalties.
On 21 May, it was announced by the ICO that the Central London Community Healthcare NHS Trust was being fined £90,000 as a result of sending sensitive data without properly identifying the recipient. From the ICO’s press release:
The breach first occurred in March last year, after patient lists from the Pembridge Palliative Care Unit, intended for St John’s Hospice, were faxed to the wrong recipient. The individual informed the Trust in June that they had been receiving the patient lists – around 45 faxes over a three month period – but had shredded them.
Making this mistake once or twice is bad enough, but around 15 times a month for three months is pretty surprising. The press release continues:
The ICO’s investigation found that the Trust failed to have sufficient checks in place to ensure that sensitive information sent by fax was delivered to the correct recipient. The trust also failed to provide sufficient data protection guidance and training to the member of staff concerned.
So there are two fundamental failings here, one driven by lack of security awareness and one most likely driven by a misguided attempt to cut costs and save money.
Faxes are not a good way of sending sensitive information as there is a lot that can go wrong, but if you must fax data then you absolutely must ensure you have a robust process in place to verify the recipient – in this example, it should have been noticed when the FIRST fax went to the wrong person, failing to do so (and continuing to send the data incorrectly) is simply the result of a lack of understanding.
Good security training can be seen as costly (but it doesn’t have to be), however, as this example shows, if you do not invest in security awareness training, you risk serious financial penalty. If the CLCH NHS Trust had been willing to invest £30,000 in security training they would have been able to avoid both compromising patient data and the resulting £90,000 fine and the additional costs of having to deliver the training after the breach has occurred.
Remember, it is always cheaper to implement good security practice before something goes wrong. Cutting costs with security is a foolish measure as, eventually, you will need to pay for the security and cover any damage that has happened.
The next NHS Trust to come under the spotlight has the dubious honour of being the recipient of the largest Civil Monetary Penalty (CMP, effectively the ICO’s fine), since the ICO was granted the enhanced powers in 2010.
On 1 June, it was announced that Brighton and Sussex University Hospitals NHS Trust had been fined a record £325000 for a major breach of the Data Protection Act, compromising massive numbers of staff and patient records.
In its the press release, the ICO gives some indication of the scale of the breach and points to why the fine was so large:
[The penalty] follows the discovery of highly sensitive personal data belonging to tens of thousands of patients and staff – including some relating to HIV and Genito Urinary Medicine (GUM) patients – on hard drives sold on an Internet auction site in October and November 2010.
The data included details of patients’ medical conditions and treatment, disability living allowance forms and children’s reports. It also included documents containing staff details including National Insurance numbers, home addresses, ward and hospital IDs, and information referring to criminal convictions and suspected offences.
This is quite a lot of very sensitive information, and if the NHS Trust has been negligent in disposal, the penalty seems reasonable. Unfortunately there seems to be some major errors in how the Trust disposed of this data, and then how they interacted with the ICO.
First off, the fundamental breach took place in a way that is all to common as more and more data processors look for cost effective ways to dispose of their data:
The data breach occurred when an individual engaged by the Trust’s IT service provider, Sussex Health Informatics Service (HIS), was tasked to destroy approximately 1000 hard drives held in a room accessed by key code at Brighton General Hospital in September and October 2010. A data recovery company bought four hard drives from a seller on an Internet auction site in December 2010, who had purchased them from the individual.
So, this seems to be saying that the company employed to dispose of the disks was at fault by allowing a (malicious?) employee to sell sensitive disks, which, as is often the case, eventually ended up on Ebay.
Unfortunately this is a difficult situation to avoid – whenever you outsource a service, you have to trust the service provider to deliver. Ideally, the NHS Trust would have carried out a due diligence check on the provider and ensured that the contract for disposal was robust enough to demand proper measures be in place.
These two simple measures would have significantly reduced the chance of the data breach taking place, and if it still took place, it would have enabled the NHS Trust to pass off the fine (plus additional reputational damage) to the IT Service provider. Based on the Trust’s attempts to appeal the fine – and their statement that they are unable to pay it [As reported in The Independent and The Health Service Journal] – it seems likely that they do not have sufficient contractual authority here.
Whatever the reasons, it seems that the NHS Trust were overly trusting with their service provided and, as a result, are suffering the full force of the breach.
Things appear to have been made worse, by the claim that these four disks were the only ones compromised:
Although the ICO was assured in our initial investigation following this discovery that only these four hard drives were affected, a university contacted us in April 2011 to advise that one of their students had purchased hard drives via an Internet auction site. An examination of the drives established that they contained data which belonged to the Trust.
Based on this report, it seems like the NHS Trust compounded their problem by not being able to properly identify how much data had leaked into the public domain. Once they have given an “assurance” over the number of disks lost, it is very damaging to their case for additional disks to appear.
The ICO continued:
The Trust has been unable to explain how the individual removed at least 252 of the approximate 1000 hard drives they were supposed to destroy from the hospital during their five days on site. They are not believed to have known the key code needed to access the room where the drives were stored, and were usually supervised by staff working for HIS. However, the Trust has acknowledged that the individual would have left the building for breaks, and that the hospital is publicly accessible.
Overall, this appears to be the result of a series of security lapses which are usually attributable to a lack of security awareness among staff and management commitment to protecting their data.
Unfortunately this is yet another example of how, if management had opted to invest £100,000 in security over the last three years, they could have avoided a £325,000 fine. With hindsight it is obviously a sensible idea, however it seems the Trust’s management were fixated on cutting short term costs leaving themselves open to much greater longer term risks.
The non-NHS breach this month, was by Telford and Wrekin Council who disclosed sensitive personal data belonging to four children and, as a result, were fined £90,000.
From the ICO press release:
The fine was issued following two similar data breaches, which occurred within two months of each other.
The first occurred on 31 March 2011, when a member of staff working in Safeguarding Services sent the Social Care Core Assessment of one child to the child’s sibling instead of their mother, who lived at the same address. The assessment included sensitive details of the child’s behaviour. It also included the name and address, date of birth and ethnicity of a further young child who had made a serious allegation against one of the other children.
The second breach concerned the inclusion of the names and addresses of the foster care placements of two young children in their Placement Information Record (PIR). The PIR was printed out and shown to the children’s mother, who noticed the foster carers’ address. The Council then decided to move the children to alternative foster care placements to minimise the effect on the data subjects concerned.
This seems to be the result of a fairly simple mistake, but it has adversely affected the lives of several families (who, unfortunately, are unlikely to see any of the £90,000 CMP as compensation….).
While a lot of this breach is the result of inflexible IT systems (which is, in turn, the result of poor security involvement at the early stages of its design), it was compounded by a lack of staff awareness – for example, in the second breach the employee should have known that the PIR contained the foster carer’s address and have taken steps to prevent it’s compromise.
Sadly, this is yet another example of how trying to save £30,000 on awareness training has resulted in a £90,000 fine (plus, having to spend the £30,000 after all).
The overall lesson from all these data breaches is simple: You do not save money by scrimping on security. If the three public bodies discussed here had spent about £150,000 between them on improving their security, it could have saved them three times that in fines alone.
Any money you dont invest in security now, will eventually have to be spent but it will be after the breach has damaged your reputation and any possible fines or civil actions have taken additional money.
While these have been three public sector bodies, it makes sense for every organisation – public or private – to sit up and take note, then fully review your security risk management approach. If you have gaps in your security take immediate action to control them. If you dont know if you have gaps, then you urgently need to undergo a full security assessment.
The longer you delay this, the bigger of a problem it will be.
Pingback: Halkyn Security Blog – Security – Are passwords dead?
Pingback: Halkyn Security Blog – NHS Security Breaches Continue