By Legal Futures Associate Hayes Connor Solicitors
February saw several data breaches nationally, many of which were human errors.
It is notable that two of the February breaches were in the healthcare sector, with one significant matter concerning sensitive medical details that were mistakenly shared.
Read on to learn more about the various and most significant data breaches that happened in February 2022.
4,000 files stolen from the Scottish Environmental Protection Agency
Scotland’s auditor general revealed in February that Sepa experienced a ransomware attack on Christmas Eve 2020. The attack led to 1.2GB of data stolen, approximately 4,000 files, leaving £42 million unaccounted for, as reported by the National Cyber Security News Today.
MSPs on Holyrood’s Public Audit Committee spoke directly to Stephen Boyle, the auditor general for Scotland, who expressed “the majority of Sepa’s data, including underlying financial records were encrypted, stolen or lost.
“Sepa had to recreate accounting records from bank and HMRC records. This made it difficult for the auditor to gain sufficient evidence to substantiate around £42m of its income from contracts.”
Once Sepa was aware of the ransomware attack, Police Scotland launched an investigation into the matter where they made the decision that the likely culprits of the attack were an international, serious organised crime group.
Despite the attack, Sepa was able to continue services 24 hours after the attack. However, it continues to be unresolved, with systems still being rebuilt and reinstated.
It’s so far believed that the ransomware attack has cost £1.2 million, but Mr Boyle, stated “The full financial impact is not yet known.
“Sepa will therefore continue to face financial and operational challenges in the years to come.”
It seems that a phishing email led to the attacks on the the system, with a member of staff clicking the link in human error.
Isle of Man kettle safety control firm face cyber attack
ITV News shared that an Isle of White firm, Strix Group, which makes kettle safety controls, were targeted by cyber hackers.
The cyber hackers are presumed to be based in Russia. Since the country’s invasion of Ukraine, Russia’s cyber capabilities seem to have been increased by authorities, resulting in more attacks from Russian origins.
The Strix group revealed that during the attack, only their UK and island servers were affected. They certified that no customer’s order or sales had been impacted by the cyber attack. A spokesperson stated, “all businesses within the Group remaining operational.”
The Strix group reacted quickly to the attack, saying that they “immediately engaged external specialists and took precautionary measures”. There was an immediate investigation into the incident, and whilst this occurred, they took their systems offline.
Business is back to normal for the company, although they are taking precautions and have appointed cyber security experts to prevent such an attack from happening again in the near future.
Four serious breaches reported by Redcar and Cleveland Borough Council
Darlington & Stockton Times reported in February that the Redcar and Cleveland Borough Council faced 60 data breaches in 2021, four of which were severe enough that they had to be reported to the ICO for investigation.
The particular breaches included two similar incidents in which several reports and paperwork were disclosed to individuals by mistake. A third incident was where a report containing sensitive information was reported to have never arrived at its intended location, there is no update as to whether this was found. The final breach was down to “unauthorised access” and the subsequent disclosure of information.
In response to the four reported breaches, the ICO stated that they were “content with the actions already taken by the council.
“The cases were closed without enforcement action or fine, although the council was asked to monitor and report back to the ICO if any detriment was subsequently identified as having been caused.”
The council had its fair share of data breaches in 2021, which the ICO expressed is common for a council of its size.
The council expressed that proper actions are always taken to report any data breach incidents that occur, such as their own investigation, in order to uncover the cause and how they can prevent such matters from happening again in the future.
Vaccine trial in Corby resulted in participant’s sensitive information in email blunder
The Northamptonshire Telegraph report that a vaccine trial in Corby by research company Lakeside Healthcare Research accidentally released participant’s data in a human error.
The research company was in the middle of a trial for a new Valneva vaccine, with said trial being conducted in 27 locations across the UK, including Corby, where the breach occurred.
The data breach blunder occurred when the research team sent an email concerning the COVID-19 booster vaccine. Instead of sending each person a blind carbon copy, the email was sent as a carbon copy, meaning each receiver could see the email addresses of every other receiver.
One anonymous participant of the trial expressed her feelings on the data breach, saying, “Within that email they copied every single person who has been on that trial. You could see everyone’s personal email address.
“It’s personal information and it’s absolutely disgraceful. If you’re taking part in a medical trial you don’t always want people to know that.
“There were people responding saying ‘yes count me in’ and they were completely unaware.”
The anonymous participant followed up the gaffe with a phone call to the company, where it was verified that any person who had not already opened the email would be denied access as it has since been recalled. This, unfortunately, doesn’t confirm whether those who have already opened the email can still access it.
The research company have since apologised to the victims of the breach and asked for the original email to be deleted from their inboxes. They have further advised they are ensuring all members of staff participate in re-training, in addition to conducting an investigation into the matter in an attempt to determine how the data breach happened.
NHS data breach led to patient’s private medical information mistakenly shared
The Mail Online reported that a Preston-based consultancy firm, PSL Print Management, paid millions of pounds each year by the NHS, accidentally exposed confidential files of patients.
The data breach occurred after the consultancy firm had sent a memory stick to an employee at the firm. The memory stick contained the firm’s entire email server, including private documents of NHS patients, with some dating all the way back to 2015.
The private documents released in the data breach consisted of hospital appointment letters for women who had suffered from miscarriages, cervical screen test results, letters addressed to parents of children needing surgery at Liverpool’s Alder Hey Children’s Hospital. The documents contain sensitive information such as names, addresses, phone numbers and NHS numbers.
The ISO was made aware by the NHS after a whistleblower who had received the memory stick advised the NHS. Since learning of the data breach, the ISO launched an investigation into the incident. Data protection consultant Tim Turner stated, “This is genuinely shocking. The NHS should be declaring a major incident.”
What to do if you or a client needs help with a data breach
If you are an unfortunate victim of a data breach and need specialist legal expertise, the data breach solicitors at Hayes Connor are on hand to navigate and overcome the complex situation.
Whether you are a law firm looking to refer a client needing a bespoke service or an individual needing support, the team at Hayes Connor have the knowledge and experience to assist.
The Hayes Connor data breach team is one of the largest nationally, with a dedication to aid victims of data breach incidents. The team will provide tailored advice and close personal support to ensure clients get the outcome they desire.
If you are interested in learning more about Hayes Connor’s data breach expertise or wish to enquire about a potential claim or client referral, please don’t hesitate to contact Hayes Connor, where the team can assist.