Vaughan Gething, Cabinet Secretary for Health, Well-being and Sport
In my response to the urgent question, I promised to update Members on the cyber security attack on Landauer, the third party company providing the Radiation Protection Service for Velindre NHS Trust, on behalf of NHS Wales, which resulted in some personal information of staff being accessed illegally.
The Radiation Protection Service is responsible for providing a radiation dose meter service for NHS Wales and non-NHS organisations in Wales for staff who work with X-rays and meets the requirement that all staff at risk of exposure to radiation are monitored. This important system and the information held within it, provides vital assurance and safeguards for staff.
Velindre NHS Trust was first notified about the incident by Landauer on the 17 January 2017 by letter. Full details of the incident were provided electronically to Velindre NHS Trust by Landauer on 26 January 2017. Once received, Velindre NHS Trust commenced an in-depth analysis to validate and cleanse the six years worth of data supplied, in order to identify affected individuals. This was an important step in the process to remove dummy entries, identify duplicates, establish current contact details for all those involved, and more importantly, to ensure that there was no attempt to contact individuals who had since passed away. As information became available, the leads in each of the Health Boards and non-NHS groups were informed by Velindre NHS Trust. This was carried out between 22 February and the 9 March 2017.
The details of over 3,400 NHS staff and over 1,300 non-NHS staff were accessed. The information accessed on individuals was a combination of some or all of the following - names, dates of birth, radiation doses and National Insurance numbers. Health Boards and Trusts have confirmed that all NHS staff that they have been able to identify have either already been notified, or will be notified, by the end of the week. Processes are in place to notify former NHS employees affected and non-NHS staff affected. I have sought assurances from all Boards and Trusts that support will be provided to those affected and reassurance given to those whose details were not accessed.
I would like to be clear this was not a breach of an NHS Wales system and is not unique to Wales. This was a cyber attack on third-party supplier Landauer, which has confirmed that the breach occurred on its UK servers housed at its headquarters in Oxfordshire.
This also impacted NHS organisations in both Scotland and England.
Landauer is a global leader in integrated radiation safety products and provides services to a wide range of public sectors including healthcare, education and national security. The contract to deliver the radiation protection service was awarded to Landauer in 2011 following a competitive tender process.
A full investigation into the incident is under way within Velindre NHS Trust, which will also consider any delays in the notification process. I have also asked my officials to establish a Data breach investigation group to review this episode, in order to determine future actions and provide assurance. I expect these to report within a month.
The Information Commissioner’s Office has been informed of this incident and will undertake its own review.
In addition, a review of all nationally hosted systems covered by third party providers will be undertaken in order to provide further assurance.
NHS Wales organisations work closely in respect to Cyber Security. Each NHS Wales organisation has a Caldicott Guardian and a Senior Information Risk Owner (SIRO) who lead on protecting patient and staff data, in addition to a number of all-Wales groups:
- The Operational Security Services Management Board - attended by the Head of Security from each organisation;
- The Infrastructure Management Board - attended by the Head of IT from each organisation;
- The Implementation Planning and Delivery Group – attended by the Associate Director of Informatics from each organisation; and,
- The National Informatics Management Board - attended by the Executive lead for IT from each organisation.
Once all investigations have been completed and full reports provided, I will issue a further written statement.