Personal details of as many as 284 diabetes patients were exposed to third parties after NHS Highland erroneously emailed a spreadsheet containing their personal details to thirty-one people.
The data exposure took place on 17th November when an employee at NHS Highland emailed a spreadsheet containing the details of 284 diabetes patients to thirty-one people. Fortunately, the spreadsheet only contained the patients' names, dates of births, contact information, and hospital identification numbers but no healthcare data.
According to The Press and Journal, the spreadsheet included recorded notes of when patients attended or were offered training but did not contain any information pertaining to their medical history, diagnosis, or medication. Nevertheless, NHS Highland took the exposure seriously and contacted the affected patients via email.
“NHS Highland has directly contacted all of the patients affected by this data breach to apologise unreservedly. We have reported the incident to the Information Commissioner and are holding an investigation into this matter,” said Pamela Dudek, the chief executive of NHS Highland.
“31 people were sent information of a patient list of 284 people including contact details and date of birth. No medical information was included other than the name of the clinic. Individuals who received the excel spreadsheet containing the confidential information are being requested to delete the file by the health board with confirmation sought that the process has been followed through,” she added.
This is not the first time that NHS Highland has been in the middle of a serious data exposure incident. In June 2018, the health board exposed the names and email addresses of 37 HIV patients in an email that invited them to a support group run by Raigmore Hospital’s sexual health service.
“NHS Highland deeply regrets that this breach of confidentiality has happened and we have contacted patients individually to apologise. As per normal procedure, a formal internal review is being conducted to understand how this has happened and to consider any steps to avoid this happening in future,” a spokeswoman for NHA Highland said.
Commenting on the latest exposure of the personal data of 284 diabetes patients, Martin Jartelius, CSO at Outpost24, said that we are seeing too many organisations taking a lax approach to data security where no institution should be storing ultra-sensitive personal health information (PHI) or personally identifiable information (PII) in plain text in a spreadsheet.
"While this event is being reported as a data breach, in reality, it is nothing more than a critical clerical issue. Fortunately, the data was not stolen or openly distributed, however this is a lesson that organisations should take note of if they wish to avoid the headlines in the future," he added.
Paul Norris, a senior systems engineer at Tripwire, said that this breach, however contained in size, further confirms that unfortunately the risk of human error – whether it is sending out personal details to the wrong recipient or misconfiguring cloud storage – can never be completely eliminated.
"For this reason, having adequate security measures is a must for protecting data. Ensuring that each individual within the workforce has only the access necessary to do their job can help reduce the risk of a data leak occurring in this manner. Having multiple layers of security is vital to protect the data that matters," he added.