Hackers steal personal data of thousands of hospital staff

Information on staff accessed through attack on IT contractor's server.
Written by Danny Palmer, Senior Writer on

Hackers have gained access to personal data of hospital staff.

Image: iStock

Hackers have stolen information about thousands of NHS medical professionals by compromising the server of a private contractor.

Cyberattackers infiltrated a data server operated by IT supplier Landauer, stealing a mix of names, dates of birth, radiation doses, and National Insurance numbers of staff who work with X-Rays.

Velindre NHS Trust in Cardiff operates radiation services for health boards across Wales through its Velindre Cancer Centre. In an email sent to ZDNet, the Trust confirmed that 530 of its own staff have been affected by the breach and it has contacted all those involved.

"Velindre NHS Trust has received notification that an unauthorised third party has illegally gained access to a data server used by one of the Trust's IT suppliers, Landauer.

"Landauer has indicated that the breach was made on one of its UK servers, directly impacting on the Radiation Protection Service (RPS), a facility run through the Velindre Cancer Centre," the Trust said.

"All those people affected by this incident are being kept updated with developments and supported with guidance and advice, as appropriate," said a Velindre spokesperson.

Velindre's responsibility for running X-Ray services of other hospitals in Wales has resulted in breach at Landauer has also affecting staff at the Betsi Cadwaladr University Health Board in North Wales.

A spokesperson for Betsi Cadwaladr confirmed that 654 current and present staff have been affected by the breach at Landauer but that "no patient information has been affected by this breach".

According to the BBC, the cyberattack against Landauer also affected NHS staff in England and Scotland, as well as some people working in private dental and veterinary services.

The attack took place in October 2016, but Velindre was only informed of the attack on January 17 of this year.

The reasons for the three-month delay in the private contractor notifying their NHS customers are as of yet unknown but a Velindre spokesperson told ZDNet that it's "the subject of ongoing discussions with the host company" and the fact the incident occurred in the first place is "deeply disappointing".

As the organisation responsible for running the Radiation Protection Service, Velindre NHS is running an investigation into the hack and working with Landauer to "ensure that all measures are put in place to prevent any such breach in the future," the Trust said.

"Landauer has arranged for the staff affected to have free access to the credit monitoring agency Experian for the next 24 months," said the Betsi Cadwaldar spokesperson.

An Information Commissioner's Office spokesperson told ZDNet the body is "aware of this incident" and is "making enquires" while a report on the incident has also been submitted to the Welsh government.

There's currently no indication as to how hackers managed to infiltrate Landauer servers. ZDNet has contacted the company but had not received a response at the time of publishing.

Read more on cybercrime

Editorial standards