notjusthackers
,

Are hospitals doing enough to protect patient confidentiality?

One in 13 patients will have their records stolen after a healthcare provider data breach[1]. However, despite the headlines, fraudsters don’t just use the internet to get their hands on our sensitive information. So, while hospitals are looking at what they can do to protect our online data, they must also look at improving security measures to prevent unauthorised physical access to sensitive medical records.

In an unusual case, our solicitors saw just how one fraudster was able to get his hands on sensitive medical information by impersonating a member of the hospital’s medical team.

What happened in this case?

In this data breach, a woman (our client), was a patient in hospital having just given birth. However, while she was there a fraudster impersonated a doctor to obtain information about her personal medical situation.

A student nurse provided the highly sensitive information to the imposter, which included details about a disease which our client had recently been diagnosed with, and with which she was struggling to come to terms with.

To date, nothing untoward has happened to our client following this incident, and there has been no contact from the person who obtained her medical records. But as she still does not know who accessed her data, and what might be done with, this situation is incredibly disturbing, and understandably this uncertainty has caused the woman considerable distress.

Lessons learned

Hospitals and other healthcare organisations need to do more to protect sensitive patient data.

All too often employees are involved in healthcare data breaches, and as such, employee training and awareness must form a core part of any security strategy and measures.

In this case, the hospital in question subsequently investigated the incident and agreed to improve their security systems and internal practices. Just simple steps such as ensuring that all members of staff wear ID at all times can make a big difference.

For more advice on how to keep your data safe, follow Hayes Connor on Twitter or give us a like on Facebook. Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you to recover any losses or give us a call on 0151 363 5895 to discuss your case in more depth.

[1] Accenture

data breaches
,

Sandwell Council suffers 500 data breaches in just five years

Following an investigation by The Express & Star, it has been revealed that almost 500 data breaches have occurred at Sandwell Council in the past five years.

According to the report, sensitive information has been either stolen, lost or incorrectly disclosed. And in some cases, people’s names and addresses were unintentionally shared.

Sandwell has classed all 499 data breaches as ‘low level’ incidents. However, with one data breach occurring every four days on average, this is sure to be worrying for people living in the area.

Sandwell Council is said to be reviewing its ‘information governance arrangements’, However, speaking about the findings, which were made available following a Freedom of Information request by the newspaper, a spokesperson, said: “The majority of these minor data breaches have occurred in cases where data is being transferred internally between council departments, rather than to outside organisations.

“These low-level data breaches will occasionally have included the unintentional sharing of, for example, a name or address.

“None of the breaches met the threshold requiring referral to the Information Commissioner.

“The council takes action in respect of every breach, however minor, and can in many cases recover the data immediately.

“It must be remembered that the council handles thousands of pieces of data every single day.”

Not good enough

These violations correspond with our experiences of data breaches at local authorities across the country. Where in most cases, its human error rather than cybercrime that is the biggest cause of data privacy violations.

However, we would argue that handling thousands of pieces of data every day is not a good enough excuse when it comes to data protection failures.

For example, some of the breaches involved staff accidentally sending emails or paperwork to the wrong people. And, while Sandwell Council might consider this to be a low-level data breach, the devastation such negligence can cause can’t be underestimated.

For example, in a recent case, our solicitors saw first-hand what can happen when a local authority sent a copy of a court order containing sensitive personal information about a father (our client) and his daughter to the wrong postal address.

This mistake saw the letter being sent to and read by a neighbour, before being divulged to other family members and neighbours. This caused considerable distress, upset and embarrassment to our client and his family. As such, the consequences of this “small” error were far-reaching.

What can you do to stop this from happening to you?

If you are concerned that your data might be at risk, either by Sandwell Council, or another local authority, you can ask for a copy of the data the council holds about you. This is called making a subject access request (SAR). Find out more about making a SAR.

This won’t guarantee that an error doesn’t result in information being sent to the wrong person, but it is a reasonable safety precaution to take. You can also ask the council for a copy of their acceptable use policy and data protection policy.

Not just hackers

Data breaches are not just caused by cybercriminals. For more advice on how to keep your data safe, follow our #notjusthackers campaign on Twitter and Facebook.

Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you recover any losses or give us a call on 0151 363 5895 to discuss your case in more depth.

 

notjusthackers
,

Are you sharing too much on social media?

The Facebook/Cambridge Analytica scandal highlighted what can happen when we share our data online. In this case, a researcher garnered details on the likes and habits of Facebook users (without their consent) via a personality quiz app called ‘This is Your Digital Life’. Cambridge Analytica then used this data to target users with political messaging.

But, despite the media attention this case received – and the possible impact on our democracy- it seems that plenty of us are still willing to hand over our information without thinking about the consequences.

The problem with memes

The latest trend across Facebook, Instagram and Twitter is to share a then-and-now picture. But how many people who took part in this “innocent” meme have considered how facial recognition software could be used to exploit this data?

Writing in Wired, Kate O’Neil argues that: “Like most emerging technology, there’s a chance of fraught consequences. Age progression could someday factor into insurance assessment and health care. For example, if you seem to be aging faster than your cohorts, perhaps you’re not a very good insurance risk. You may pay more or be denied coverage.”

She also refutes claims that there is nothing to worry about because “if you have been on social media for a long time the various platforms have this information anyway”. Instead, she argues that a simple, helpfully labelled set of then-and-now photos would be of much more value to these companies than having to trawl through hundreds (if not thousands) of unrelated images.

And it’s not just this current meme that is causing concern. How often do we share when we are away on holiday, when our birthday is, our mother’s maiden name, the name of our first pet, and even where we live? All data that can be used against us if it falls into the wrong hands.

Just a simple “what is your pirate/superhero/band name” post can reveal the answer to some of the most common security questions used by our banks.

Our responsibility to ourselves

It is absolutely right that we are demanding that organisations look after our data with respect, but it is also crucial that we apply the same standards to our own behaviour if we want to stay safe.

For example, when using technology, we must be conscious of the data we are sharing, and how it can be used. On social media this includes things like:

  • Not accepting friend requests from people you don’t know
  • Being careful about what you share online
  • Removing location data from your posts
  • Using a different password for all your accounts
  • Using two-factor authentication
  • Checking the privacy settings of all your accounts
  • Not downloading suspicious apps
  • Thinking twice before clicking on any links
  • Reading the T&Cs of any games or apps you want to use
  • Being aware of common phishing techniques and keeping an eye out for fraudsters who attempt to gather additional personal information.

Today, social media is part of everyday life. So we would never suggest that you stop using it if you don’t want to. But some simple steps can help you to stay safe.

At Hayes Connor, we believe that raising awareness of cybersecurity issues will help to protect ourselves as individuals. For more advice on how to keep your data safe, follow us on Twitter and Facebook.

Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you to recover any losses or give us a call on 0330 995 0070 to discuss your case in more depth.

notjusthackers
,

The importance of looking after sensitive candidate information during the recruitment process

When applying for a job, we trust recruiters and the places we hope to work with a vast amount of sensitive information. But all too often this isn’t looked after as well as it should be.

In a recent case, our solicitors saw the impact of what can happen when sensitive information supplied as part of a job application was processed incorrectly.

What happened in this case?

In this data breach, the individual managing the recruitment process wrongly addressed sensitive applicant information and failed to send it by recorded delivery or hand delivery, as was the company’s standard purported practice.

The documentation included the following material:

  • A copy of the applicant’s passport
  • A copy of her driving licence
  • A copy of her birth certificate
  • Two letters to prove her address/identity
  • Copies of her NVQ certificates.

The information has still not been recovered and therefore remains a potential threat to our client.

As a direct result of this data breach, our client has suffered severe psychological effects, including stress, anxiety and trauma. So much so that her GP has prescribed medication.

Lessons learned

In many cases, data breaches such as this can be avoided by employees abiding by the data protection principles of their organisations. But it is up to these organisations to make sure that all staff receive regular data protection training to make sure they understand the potential consequences of breaching data protection laws.

Not just hackers

At Hayes Connor, we want to reduce the number of data violations taking place across the UK. To do this, we are sharing such real-life examples of data breaches to raise awareness of this issue and educate people to prevent similar mistakes from happening.

For more advice on how to keep your data safe, follow our #notjusthackers campaign on Twitter and Facebook.

Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you to recover any losses or give us a call on 0151 363 5895 to discuss your case in more depth.

 

data breach
,

Hospital gives sensitive pregnancy discharge pack to wrong woman

Before they leave hospital, new mothers are given a set of postnatal notes, with information about their labour, delivery and postnatal care in hospital.

In a recent case, we saw the impact of what can happen when this personal pregnancy discharge pack was given to the wrong person by mistake.

What happened in this case?

Following the birth of her son, a woman was contacted on Facebook by a woman who knew her name, address and other personal information. Due to the personal information disclosed via the message she thought she was being contacted by her estranged mother and sister. This caused her considerable upset.

However, it eventually became clear that she was being contacted by a stranger who had been given her pregnancy discharge pack and the personal details of her son by mistake. This happened despite the fact that the other woman had attended a completely different hospital in a different town from her.

As a result of this data breach, the woman suffered stress, anxiety and trauma, which resulted in her needing medication from her GP.  She has also suffered from ongoing flashbacks of family problems.

Lessons learned

The healthcare sector handles some of our most sensitive personal data, and, as patients, we have the right to expect this will be looked after. However, all too often this isn’t the case.

Hospitals and other healthcare organisations need to do more to protect sensitive patient data. It is vital that there are adequate and robust protections in place to secure patient information and that healthcare staff have the knowledge and ability to handle such data securely.

Not just hackers

At Hayes Connor, we want to reduce the number of data violations taking place across the UK. To do this, we are sharing such real-life examples of data breaches to raise awareness of this issue and educate people to prevent similar mistakes from happening.

For more advice on how to keep your data safe, follow our #notjusthackers campaign on Twitter and Facebook.

Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you to recover any losses or give us a call on 0151 363 5895 to discuss your case in more depth.

notjusthackers
,

Bank sends credit card statements to the wrong person

Financial crime is a hot topic at the moment, with stories about push payment fraud and takeover fraud leaving people worried about what could happen if they became the victim of a bank scam.

But in many cases, its human error rather than cybercrime that is the biggest cause of financial data breaches. And, these errors are just as likely to happen offline.

In a recent case, our solicitors saw the impact of what can happen when a person’s financial information was sent to the wrong address by mistake.

What happened in this case?

In this data breach, a bank sent partial credit card statements to the wrong person. The information was sent to a completely different person to the account holder (our client), attached to the back of a bundle of documents she had requested.

Luckily, in this instance the woman who received our client’s statements was honest, and despite being a complete stranger she contacted him to let him know what had happened. She also reported the incident to her local branch, although she was not satisfied with how the bank proposed to deal with the matter. If such a simple error can be made, what’s to say it couldn’t happen to other customers?

As a direct response of this admin error, this data breach has caused considerable distress and worry to our client. He has now lost confidence in his bank and can’t be sure if his sensitive and personal data has been further breached.

Lessons learned

Banks, credit card providers and other financial institutions need to do more to protect sensitive financial data.

All too often staff are involved in such data breaches, so employee training and awareness must form a core part of any security strategy and measures.

If you are an employee of a financial organisation and want to make sure that you don’t make a similar mistake, talk to your employer about any processes that can be put in place to make sure that this doesn’t happen to you. Such steps could include things like additional data protection training, secure systems for storing information, checks and balances on systems generating correspondence, and measures to ensure that the correct information is being sent to customers.

This is especially important if you deal with sensitive financial information which could cause serious harm if it falls into the wrong hands.

For more advice on how to keep your data safe, follow Hayes Connor on Twitter or give us a like on Facebook. Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you to recover any losses or give us a call on 0151 363 5895 to discuss your case in more depth.

#notjusthackers
,

Sharing data? Think before you do

With human error the leading cause of data breaches, the Information Commissioner’s Office (ICO) has produced a handy toolkit to help businesses communicate the importance of information security to staff.

At Hayes Connor, we’re sharing some of the tips included in this toolkit to raise awareness of the importance of this issue, and to help organisations across the UK improve their data protection processes.

Tip: All information you work with has value. Share it appropriately

The risk of data sharing  

We live in a data-driven world, so it’s not unusual for us to share our personal information with organisations. Not least because sharing this data tends to make life easier and more convenient. But it’s vital that our data is only used in ways we would expect, and that it is kept safe.

In a recent case, we saw the impact of what can happen when a gym provided a woman’s personal details – including her home address- to another customer who shared her name by mistake. This error led to considerable distress, upset and even fear.

Quick tips

  • Employers must understand the importance of data protection and make sure that strict policies and procedures are put place to ensure the safe processing of information – both in and out of the office
  • In many cases, data breaches can be avoided by staff abiding by the data protection principles of their businesses. But it is up to employers to make sure that all staff receive regular data protection training to make sure they understand the potential consequences of breaching data protection laws
  • Organisations must do more to protect personal information. For example, by designing systems that only allow the relevant people to have access
  • Every staff member accessing personal records should provide a reason for doing so.

Not just hackers

Data breaches are not just caused by cybercriminals. For more advice on how to keep your data safe, follow our #notjusthackers campaign on Twitter and Facebook.

Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you to recover any losses or give us a call on 0151 363 5895 to discuss your case in more depth.

notjusthackers
, ,

Make sure you enter your email address correctly when signing up online!

According to a recent report, people are unwittingly “handing over the keys to their digital life”. BBC News has revealed that journalists were able to see details of a stranger’s credit report after an individual entered the wrong email address when signing up to the online service.

In this case, a person signed up to a credit service, but when doing so, entered a slightly incorrect email address. This email address then doubled as the account username.

When an email was sent from the credit service to confirm the account, it was, therefore, sent to the wrong person. Someone whose email address was almost the same as theirs.

And because this stranger had full access to the account, they could get into the account and even change the password. So, one small mistake let the wrong person see a huge range of personal information including the date of birth and previous addresses of the actual account holder, as well as information about their applications for credit.

The problem with email

Most of us hand over our email addresses in return for services. And we do so willingly. But our email address provides a way into our digital life. Just one wrong letter or a dot in the wrong place could mean that our personal and sensitive information falls into the wrong hands.

In most cases, if someone with a name like yours gets access to a service you signed up for they are likely to delete it (often thinking it might be spam). But are you willing to take that risk?

In this case, the information accessed would be extremely valuable to cybercriminals, who could use it to apply for loans and other credit in your name.

How to protect yourself

At present, most businesses have processes in place to respond to errors and stop fraud from happening. But what if you don’t know you have made a mistake until it is too late?

Valuable data is being put at risk by people inputting the wrong email address. So simply having a few words of warning on a site asking people to check that they have entered the right details isn’t working.

In response, companies are being urged to find other ways to check their customers are who they say they are (e.g. two-factor authentication and ensuring people signing up for a service enter their email address twice  – with no cut and paste option).

But to keep yourself safe online it’s vital that you do everything you can to protect yourself from fraud, and become more vigilant when signing up online.

For more advice on how to keep safe online, follow Hayes Connor on Twitter or give us a like on Facebook. Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you to recover any losses or give us a call on 0151 363 5895.

notjusthackers
, ,

What can happen when sensitive information gets sent to the wrong address?

Cybercrime is rarely out of the headlines, leaving many of us worried about what could happen if our personal data became a target of online fraudsters. But in most cases, it is human error rather than cybercrime that is the biggest cause of data breaches. And, these errors are just as likely to happen offline.

In a recent case, our solicitors saw the impact of what can happen when sensitive information was sent to the wrong address by mistake.

What happened in this case?

In this data breach, a local authority sent a copy of a court order containing sensitive personal information about a father (our client) and his daughter to the wrong postal address.

Just a small error saw the letter being sent to a neighbour, who brought it round to the right address. But the letter had been opened and after talking to the neighbour it soon became clear that it had also been read.

What’s more, when the letter was passed to the right house, it wasn’t handed to the right person. Because it was opened, it was then read by another member of the family who became distressed at the contents. This went on to cause difficulties in the family.

As a direct response of a seemingly small admin error when posting the letter, this data breach has caused considerable distress, upset and embarrassment to our client and his family. Not only did our client have to explain a sensitive situation to his family in more detail than might otherwise have been necessary, but his neighbours are also aware of a very private and sensitive situation – one which has been talked about within the small local community where he lives. As such the consequences of the error were far-reaching.

What can you do to stop this from happening to you?

There are a few lessons that can be learned from this case. For example, when handing over your postal address in return for services it is vital that you check that these details have been taken down correctly.

You are completely within your rights to ask for a copy of the data a local authority (or any other organisation) holds about you. This is called making a subject access request (SAR). Find out more about making a SAR.

Of course, this won’t guarantee that an error doesn’t result in a letter going to the wrong address (especially if the label is handwritten), but it is a good safety precaution to take.

Alternatively, if you are an employee of a local authority and want to make sure that you don’t make a similar mistake, talk to your employer about any processes that can be put in place to make sure that the addresses of your customers are correct. This is especially important if you deal with sensitive information. Such steps could include things like additional data protection training, and checks and balances on systems generating correspondence.

For more advice on how to keep safe online, follow Hayes Connor on Twitter or give us a like on Facebook. Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you to recover any losses or give us a call on 0151 363 5895 to discuss your case in more depth.

DATA BREACH
, ,

Human error rather than cybercrime biggest cause of self-reported data protection breaches

Human error rather than cybercrime biggest cause of self-reported data protection breaches

According to the Information Commissioner’s Office (ICO), the number of reported data protection breaches has almost doubled since April this year.

The increase has happened since the introduction of the General Data Protection Regulation (GDPR) on May 25th. Under the GDPR the self-reporting of data breaches is now mandatory. As such, we can expect to see this increase in data breach reporting to continue to rise.

However, despite fears about cybercrime, human error is seven times more likely to cause data protection breaches than hackers.

According to data released under the Freedom of Information Act, out of 2,124 self-reported data breaches in 2017-18, fewer than 300 were because of cybercrime.

Common causes for these data violations include:

  • Data sent to the wrong recipient
  • Loss of theft of paperwork
  • Failure to redact data
  • Failure to use bcc when sending an email
  • Unencrypted devices being lost or stolen

Worryingly, while cybercrime is not responsible for most data protection breaches, reported cybersecurity incidents have increased by 31% over the same period. Of these attacks, malware, phishing and ransomware were the most common culprits.

Which sectors report the most data protection breaches?

The sectors most affected by data protection breaches are:

  • Healthcare with 1,214 data breach reports (this sector was already subject to self-reporting before the GDPR)
  • General business with 362 data breach reports
  • Education and childcare with 354 data breach reports
  • Local government with 328 data breach reports.

In total, taking into account self-reported breaches and complaints from elsewhere, the ICO received a staggering 21,019 data protection concerns in 2017/18.

What can you do if you are the victim of a data protection breach?

The ICO can impose hefty fines on organisations that don’t meet their obligations under the Data Protection Act. The biggest fine it has issued so far is for £400,000, but that was made before the new GDPR rules. However, the ICO does not award compensation to victims.

If you have suffered damage or distress caused by an organisation breaching any part of the Data Protection Act, you have a right to claim compensation. At Hayes Connor Solicitors, we’ve been helping people to do just that for over 50 years, so we know what it takes to make a successful data breach compensation claim.

Crucially, the law recognises the potential damage that is caused by psychological suffering. So, you can make a compensation claim if you have struggled emotionally following a data breach, even if you have not experienced any financial loss.

Our expert, friendly team will advise you on whether you have a valid claim and will be pleased to answer any questions you might have. If you are not sure whether your information has been misused or mishandled, we can find this out for you.

If we believe you have a substantial, complex case, we’ll go through your options with you and may be able to act for you on a NO WIN, NO FEE basis. For smaller claims, our quick assessment form will help you to start your claim, quickly and easily. So you can be sure of receiving your compensation in the shortest possible time.

We can help you to claim compensation for data protection breaches, data leaks, human rights breaches, and the misuse of personal information.

At Hayes Connor Solicitors, we understand that making a compensation claim can be stressful; especially where your sensitive information has already been breached. That’s why we remove the jargon from the process and make sure you always know what’s happening with your case. Of course, it goes without saying that our process is fully compliant with ICO guidance and we never put your details at risk.

START A DATA BREACH CLAIM