Data Breach Risks in a Healthcare Setting

The Health Sector handles some of the most sensitive personal data and individuals have the right to expect that information will be looked after.

The latest data from the Information Commissioners Office (ICO) (Q4 2019/20) on Reported Data Security Incidents shows that the Health Sector remains the biggest contributor (16%).

In a sector that relies so heavily on technology cyber security incidents accounted for only 14% of all Health sector breaches.

Human error is still the primary cause of the majority of breaches.  A quarter of all breaches during the reporting period were caused by the data being emailed or posted to the wrong person.

This would suggest that there is still a long way to go in educating all staff in this sector of their duties and responsibilities under GDPR.


All information governance SIRIs (Serious Incident Requiring Investigation) which occur in health, public health and adult social care services must be reported at the earliest opportunity, and are handled effectively.

All health service organisations in England must now use the Data Security and Protection Incident Reporting tool (the incident reporting tool for the NHS in England). This will report SIRIs to the NHS Digital, Department of Health, ICO and other regulators.

The ICO has guidance on their website on how to report an incident using that tool kit.

If you are signed up to the tool you should use it to report the breach.


The ICO describes itself as a reasonable and pragmatic regulator. 

Particularly during the Covid-19 crisis they have been quick to confirm that data protection and electronic communication laws do not stop any organisation from responding to the public health crisis.  They have confirmed that whilst compliance is still required, they will take into account the compelling public interest when considering any compliance issues.

Having said that, the safety and security of the public remains their primary concern and when appropriate they are happy to use the powers given to them.

The fine imposed on a London-based pharmacy of £275,000 for failing to ensure the security of special category data is a good example.

Doorstep Dispensaree Ltd, which supplies medicines to customers and care homes, left approximately 500,000 documents in unlocked containers at the back of its premises in Edgware. The documents included names, addresses, dates of birth, NHS numbers, medical information and prescriptions belonging to an unknown number of people.

These documents were not ‘lost’ or disclosed to a third party.  But they became water damaged as a result of the failure to store them properly.

This enforcement action demonstrates that the ICO is prepared to impose significant fines when special category data is not adequately protected.

Data security incidents in the Health Sector remains a key area of action for the ICO.


With human error still being the primary cause of breaches in this sector it is clear that organisations need to remain focused on training.

Each individual breach leaves the individual concerned exposed to a prosecution, the organisation facing a fine from the ICO and a civil claim. Not to mention the loss of confidence and faith in the sector as a whole.

These issues can be resolved by equipping staff to handle personal data.

Despite the media attention when a cyber attack / data breach does occur they don't even make the ranking of the top five-most-common types of data security incidents. The top causes are almost entirely organisations, or more accurately staff within organisations, accidentally releasing or leaking data.

There needs to be more training and awareness.  It is also perhaps time for the sector to embrace digital solutions, with technology that supports and secures the work they do.

For more information on the article above and to discuss training for your organisation contact Christopher Francis.

Send us a message