In January this year Norway’s South-East Regional Health Authority admitted a data breach, and it was serious. The Authority is responsible for managing all hospitals in the southeast of Norway. It conceded that the medical records of 2.9 million Norwegians had been potentially exposed to cyber attack.
Significantly it took the organisation seven days from the date it became aware of the attack to publicise the breach. This is considerably in excess of the GDPR requirements that:
- Notification of a breach of data must occur within 72 hours of the organisation concerned becoming aware of it; and
- Where the breach is going to adversely affect the rights of individuals they must be informed ‘without undue delay’
WHY ARE HEALTHCARE INSTITUTIONS SO VULNERABLE TO ATTACK?
One reason why medical organisations are so vulnerable to attack is because of the type of data they typically hold. It is precisely the type of personal information that’s of value to criminals. Once stolen medical data makes ID theft and other fraud easier.
And there are undoubtedly an increasing number of cyber attacks on hospitals and other healthcare institutions. Last year for example the WannaCry cyber attack in the UK crippled some quarters of the NHS. It affected as many as a third of hospital trusts in England. A report into the incident by the National Audit Office concluded that the attack was relatively unsophisticated. Worryingly the NAO found that the attack ‘could have been prevented by the NHS following basic IT security best practice’.
A survey published by Accenture in 2017 showed that 1 in 8 consumers have had their health data stolen. Alarmingly from a GDPR perspective (and in particular the breach notification requirements) the survey found that 36% of people who had had data stolen found out about it themselves. Only 20% were told about the breach by the organisation attacked.
WHAT IS A PERSONAL DATA BREACH?
GDPR defines a personal data breach as follows:
“A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.”
The breach may be deliberate or accidental, and can include access to data by an unauthorized third party, sending data to the wrong recipient and alteration of personal data without consent.
IS MY BUSINESS SUBJECT TO GDPR?
Most of the data breaches we read about involve large, often multinational organisations. But remember that GDPR will affect most companies. At Big Data Law in London we advise a range of companies – small and large – on their obligations under GDPR.
Responsibilities under GDPR will vary depending on the type of data you collect, store and make use of. And some of the regulations will not apply to smaller companies. However one thing is clear. You cannot afford to ignore GDPR. Fines for non- compliance may well be ruinous.
Given that one of the central objectives of GDPR is to give individuals back the control of their personal data, we believe best practice dictates that your company should make every effort to mimic observance of GDPR rules as far as possible.
No matter what size your business is.
CAN I IGNORE A DATA BREACH?
At your peril. One of the reasons why GDPR is attracting so much publicity is because of the regime of sanctions. If you don’t notify the appropriate authority about a breach when required to do so, your company can face a fine of €10 million or 2% of your global turnover.
To find out how we can help you prepare for GDPR call us on 0203 670 5540 or complete our online enquiry form.