Southern Health NHS Trust pays settlement in data breach claim

Southern Health NHS Trust has admitted failing in its data protection obligations following an incident which involved a member of its staff accessing and sharing details of a patient’s confidential medical records without consent.

The breach took place in 2016 but was only discovered more than two years later following a Right of Access information request by Fordingbridge resident Robert Richardson.

Council files revealed that following his request for a more secure back door to be provided for his property following serious threats made against him, New Forest District Council had contacted the NHS to ask whether he was known to its mental health facility.

61-year-old operations administrator Robert Richardson said: “I asked the local council to replace my back door for added security for my family, but they were not forthcoming. I had concerns about what was happening internally at the Council in relation to my request. I proceeded to make a Right of Access request only to discover that they had contacted the NHS with the suspicion that I was suffering mental health issues.

“I was stunned and very upset to discover that this had taken place without my knowledge, or consent, and even more upset that the NHS had proceeded to access my private medical records to confirm to the Council that I had not been a mental health patient, again without my knowledge or consent.

“This followed a simple request to have the back door of my property replaced and at no point did the Council, or the NHS, ask permission to share my private information.”

Representing Mr Richardson, James Kelliher, litigation executive at data breach and cybersecurity specialist Hayes Connor Solicitors, commented: “The Trust admitted that a technical breach of the Data Protection Act had occurred. Our client discovered the breach purely by chance. It is concerning that private medical information was accessed and details shared without our client’s consent. Had he not made a Right of Access request the breach would have gone undetected.

“We pursued a successful data breach claim against Southern Health NHS Trust on behalf of Mr Richardson securing £1,500.

“GDPR came into force last year raising awareness of data privacy however, individuals’ private information has been protected by data protection laws for some time predating this, a fact that both the Council and NHS Trust should have been well aware of.”

social media scam
,

Would you fall for this social media scam?

Cybercriminals are targeting people’s social media accounts in a bid to steal money and personal details. In fact, according to reports, a staggering 53% of all logins on social media websites are fraudulent, and 25% of all new accounts are fake[1]. And, while we have all heard about how people are using Facebook and other channels to spread fake news and influence elections, for some people, the consequences are much closer to home. So how can you protect yourself from social media scams?

Facebook PayPal Fraud

In one recent case, a Facebook user received a message from a friend on Facebook claiming he was having trouble with his PayPal account. The friend asked if he would accept some eBay payments on his behalf, and then send the money on to him.

While many of us might be suspicious if we were asked to give money to someone, most people are far less likely to worry about receiving cash. So, being the good friend he was, he accepted two payments and sent them on to the bank details provided.

However, as soon as the money had left his account, he got a message from PayPal saying that the payments he had received were fraudulent, and as such, were being reversed. This left the unwitting victim £300 out-of-pocket. Needless to say, his real friend had never asked for, or received any money.

To make matters worse, PayPal took no responsibility for the stolen cash. And, the young man learned the hard way that you should never take any requests to send money at face value, even if they seem legit.

What can you do to protect yourself from similar social media scams?

When using technology, we must be conscious of the data we are sharing, and how it can be used. Here are some quick tips to keep you safe on social media.

  • Don’t assume a message is authentic. Just because someone knows some personal information about you (i.e. your address, mother’s maiden name etc.), that doesn’t mean they are genuine
  • Don’t accept friend requests from people you don’t know
  • Be careful about what you share online (e.g. avoid answering questions like “what was your mother’s maiden name” and “what was the name of your first pet”. Even if they seem to be part of a harmless quiz or post)
  • Remove location data from your posts
  • Use a different password for all your accounts
  • Use two-factor authentication
  • Check the privacy settings of all your accounts
  • Don’t download suspicious apps
  • Think twice before clicking on any links
  • Read the T&Cs of any games or apps you want to use
  • Always check with friends (offline) if they ask you to send money or do anything you are unsure about
  • Keep an eye out for fraudsters looking to gather personal information about you or someone you know
  • Never disclose security details such as your PIN or full banking password to anyone (including anyone claiming to be from your bank)
  • Know that banks or other trusted organisations will never contact you and ask you to transfer money to a secure account
  • If something doesn’t feel right listen to your instincts
  • If you’re worried that you may be at risk, report it to your bank, the Police or Action Fraud straight away.

Today, social media is part of everyday life. So, we would never suggest that you stop using it. But following these simple steps can help you to stay safe.

Get digitally aware

At Hayes Connor Solicitors, we want to reduce the number of data violations and successful cyber scams taking place across the UK. To do this, we are raising awareness of this issue and educating people to help stop fraudsters in their tracks.

For more advice on how to keep safe, follow us on Twitter and Facebook.

Alternatively, if you have been the victim of an online scam, contact us find out how we can help you to recover any losses.


[1] Arkose Labs

Today’s Legal Cyber Risk, 7th October 2019

In an increasingly digitised era, more and more of our personal information is stored, processed and shared online. Kingsley Hayes advises on simple tips to help prevent cyber-attacks and maintain robust data protection in Today’s Legal Cyber Risk.

ico
,

Is the ICO meeting the needs of the individual when it comes to data breaches?

Our managing director Kingsley Hayes has been keeping a close eye on the key data privacy trends that our firm has seen since the General Data Protection Regulation (GDPR) came into force.  And he believes that the Information Commissioner’s Office’s (ICO) approach to data breach enforcement isn’t yet meeting the needs of the individual. But could things be about to change?

What are we seeing?

At Hayes Connor Solicitors, we have received thousands of enquiries from customers who have suffered as a direct result of a high-profile data breach. And, every day we are also helping the victims of smaller data breaches. Breaches that are causing misery and upset to people across the UK.

So, as you can imagine, our expert data protection solicitors pay close attention to how the ICO has responded to data breaches of all types and sizes.

In our opinion, the ICO has taken a proactive stance when it comes to commenting on large-scale breaches. This has no doubt been done to secure the attention of the media and politicians. And to make sure that organisations take appropriate action in the aftermath of any breach.

But, while we understand this approach, we also believe that the still ICO requires education on the lasting and full impact of data breaches. Because to date, the experience of the individual is still being downgraded.

Is emotional distress being taken into account by the ICO?

As it stands, the ICO is not coming down hard on organisations that are reporting data breaches and apologising for the violations. This can leave victims of data breaches wondering whether their suffering has even been taken into account.

For example, at Hayes Connor, we have experience of a particular organisation with a track record of committing data breaches that can only be described as atrocious. Over the last four years over 150 reported incidents of the same type have been made. And despite reported changes to process and internal governance, in the months leading up to the implementation of the GDPR another significant and life-affecting breach occurred.

Unfortunately, for those involved in this case, the ICO’s response was less than satisfactory.

Are things about to change?

We hope that, as time progresses, so too will the ICO’s approach. And there are signs that things are changing.

For example, earlier this year the ICO sent a warning shot to all organisations that – while unlikely to make any headlines – has wide-reaching implications.

In this case, the regulator took legal action against a housing developer. The developer had failed to comply with an Enforcement Notice which had been served by the ICO in relation to a failed subject access request. Under data protection laws, such a request allows an individual to request a copy of all the personal information an organisation holds about them.

The ICO won this case, and the developer was ordered to pay a fine and prosecution costs.

Crucially, by supporting the individual and taking robust action in this matter, the ICO demonstrated that it is intent on pursuing any organisation which is not taking its data protection obligations seriously.

However, the role of the ICO is to uphold information rights in the interest of the public and manage the complaints process. To do this effectively it must understand the various psychosocial effects that data breaches can have on individuals.

Thankfully, over the last few years, people are waking up to the reality of mental health. And there is a greater awareness about the lasting effects of physiological suffering and anguish. But more still needs to be done.

Education is vital

According to renowned clinical psychologist and visiting professor in law and psychology at Birmingham City University School of Law, Professor Hugh C. H. Koch education is crucial to ensure the needs of the individual are met. He said:

“Education within the legal media, both written and digital, concerning the psychological effect of data breaches reinforced at legal educational meetings and conferences will raise the bar of how much lawyers know and understand about data breach effects.”

Until then, while much has been achieved since the introduction of the GDPR, there is still a fair way to go before individuals can expect a standard of data protection we should all aspire too.

You can read more about the latest data breach trends here.

Leading by example

At Hayes Connor, we want to reduce the number of data violations taking place across the UK. To do this, we are helping to raise awareness of this issue and educating people and businesses to prevent similar mistakes from happening.

For more advice on how to keep your data safe, follow us on Twitter and Facebook.

Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you to recover any losses or give us a call to discuss your case in more depth.

Legal Futures, 4th October 2019

The Court of Appeal made a ground-breaking ruling on 2nd October 2019 reinforcing the value of personal data and adding further weight to action taken against organisations who fail in their data protection obligations. Kingsley Hayes talks about what this means for data breach claims in Legal Futures.

court of appeal

Court of Appeal makes ground-breaking ruling on data protection

The Court of Appeal made a ruling on 2nd October in the Lloyd v Google case which may open the floodgates to data breach claims.

The Court decided that claimants would be entitled to compensation even if the only personal information breached was their email address. It also ruled that a claim would be valid without the requirement to prove a loss or damage as the loss of control of the personal information was sufficient grounds.

The ground-breaking judgement also clarified that firms representing only a portion of the total number of individuals affected in major data breaches, such as the British Airways and Ticketmaster incidents, can claim compensation for the entire population affected and can thereafter distribute the funds.

Kingsley Hayes, managing director at data breach and cybersecurity specialist Hayes Connor Solicitors, said: “This is a very significant development which recognises that personal information has a value and when that private data is compromised, the individual has a right to compensation whether or not they have suffered actual, or potential, financial loss or psychological injury.

“The ruling rightly adds further weight and consequence to any breach of personal data, even if a breach only involves an individual’s email address. This is likely to open the floodgates as consumers become increasingly proactive about protecting their privacy rights and seek legal redress.

“Businesses who are not already taking their data protection obligations seriously will have to step up their data protection practices or face legal action and hefty costs.

“The Court of Appeal’s decision sets a precedent as we can now claim compensation for the total number of those affected by a breach and not just the individuals who have proactively contacted us to pursue compensation on their behalf.

“The development is fair and right providing robust clarity that the law sits firmly behind the rights of individuals to have full control of all their personal information and how, when and where this is stored, processed or shared.”

Hayes Connor Solicitors was recently appointed as data protection supplier to the Communication Workers Union and is currently acting for thousands of claimants with data breach action against Ticketmaster, Equifax, Marriott International, TeamSport, Dixons Carphone and the Police Federation of England and Wales.

 

 

 

Valley News, 3rd October 2019

Our client was unhappy with how a simple request for a replacement back door was being handled by his local Council prompting him to make a Right of Access request. He discovered that his data protection rights had been violated as the NHS had accessed and shared information from his medical records without his knowledge or consent. We were pleased to secure £1,500 compensation for him as a result.

student loan scam
,

Going to Uni? Don’t fall for this student loan scam!

Many students about to start their university and college courses could fall victim to a cyber scam if they are not vigilant. This follows warnings that fraudsters are aware that students will soon receive their first loan instalment of the year, and are using ‘phishing’ to try and steal this money.

Student Loans Scam

According to the Student Loans Company (SCL), students should be suspicious of any requests for personal or financial information from anyone claiming to be from the SLC or Student Finance England (SFE).

The loan provider claims that, in the last two academic years alone, its counter-fraud teams have stopped more than half-a-million pounds from being phished from student loans.

In most cases, students will receive emails, texts, calls etc. claiming to be from a student loan company. These messages will request personal or financial information that could be used to access their accounts and steal their much-needed money.

Attacks increase just as loan instalments are released. Cybercriminals have also been known to target the parents and partners of students to get access to this data.

What can you do to protect yourself from student loan scams?

Here are some quick tips to keep you safe from this type of scam:

  • Never disclose security details such as passwords
  • Don’t assume an email, text or phone call is authentic. Just because someone knows some personal information about you (i.e. your mother’s maiden name), that doesn’t mean they are genuine
  • Know that legitimate financial organisations would never contact you and ask you to confirm your login information
  • Emails that start ‘Dear Student’ are unlikely to be genuine. But, even if your personal details are included, this doesn’t mean that the communication is real
  • Any warnings such as ‘failure to respond in 24 hours will result in your account being closed’ should start alarm bells ringing
  • Be aware who you’re sharing your personal information with. Only give out details to a service you trust and that you’ve contacted directly or are expecting to be contacted by. Even then, do not hand over sensitive information such as PINs or passwords
  • Don’t be rushed into handing over personal or financial information
  • If something doesn’t feel right listen to your instincts. Leave the conversation if it makes you at all uncomfortable
  • Always question who you’re talking to. If in any doubt call them back using trusted contact details to check the request is genuine
  • Don’t be afraid to say you’ll get back to someone using the phone number or email address as listed on their website. A legitimate organisation would never try to panic you out of taking security checks
  • Never automatically click on a link in an unexpected email or text
  • Make sure you look at the address bar when logging into a website. If there is a padlock icon your connection is secure. If a site doesn’t have this lock icon, do not share any sensitive information
  • If you’re worried that you may be at risk, report it to the Police or Action Fraud straight away.

Get digitally aware

At Hayes Connor Solicitors, we want to reduce the number of data violations and successful cyber scams taking place across the UK. To do this, we are raising awareness of this issue and educating people to help stop fraudsters in their tracks.

For more advice on how to keep safe, follow us on Twitter and Facebook.

Alternatively, if you have been the victim of an online scam, contact us find out how we can help you to recover any losses.

GDPR
, ,

Over a year since GDPR financial organisations still aren’t keeping our data secure

It’s been over a year since GDPR came into effect. But despite this, too many companies still aren’t doing enough to protect our personal and financial information.

In fact, according to RiskIQ, when it comes to financial services organisations, of public PII-capturing websites with a login page, 11.5% of these sites are still capturing this data without adequate security measures.

What is a PII capturing website?

A PII capturing website is one which collects information from its users that can identify them. Examples of PII include names, addresses, dates of birth, email addresses and login credentials.

Is GDPR making an impact?

These findings are very worrying, particularly due to the damage that can be caused if our banking and credit card information falls into the wrong hands. We should be able to have confidence in all organisations that look after our sensitive data, but especially the financial sector.

But the good news is that there are signs that organisations are starting to take their data protection obligations more seriously. And so they should as they risk huge fines and compensation claims should a data breach happen.

It’s just that, so far, most of the data breaches investigated by the Information Commissioner’s Office (ICO) happened before GDPR came into force. And, under the old law the maximum fine for a data protection failure was just £500,000 (and even that wasn’t handed out often).

However, the tide is turning. The ICO has recently announced that it plans to fine the Marriott hotel nearly £100m. And British Airways is being fined £183 million for its high-profile data breach.

At Hayes Connor Solicitors we are paying close attention to how the ICO is responding to new data breaches and are monitoring the impact of the GDPR now it is starting to make a difference.

What should organisations do now?

With most organisations continuing to expand their web presence, it’s essential that more is done. This includes taking steps such as:

  • Maintaining a complete inventory of all PII capturing websites and making improvements to these to make sure they are secure
  • Ensuring that any new sites are built with robust security measure
  • Making sure that companies aren’t collecting personal data they don’t need via their websites.

Making a data breach compensation claims can help

In our experience, the response of organisations following data breaches has been woefully lacking. Too many big companies seem to think they can get away with just saying sorry.

However, such an absence of care over the very real impact of a data breach should not be tolerated or accepted. And, one way that organisations can be forced to put adequate security measure in place is by people taking legal action where they have been let down. Or in other words – hitting them where it hurts. Because unless this happens, the security of the individual won’t be made a priority.


Data protection solicitors

At Hayes Connor Solicitors, we are committed to upholding the data protection rights of our clients. For more advice on your rights, and how to keep your data safe, follow us on Twitter and Facebook.

Alternatively, if you have been the victim of a data breach or cyber fraud, contact us to find out how we can help you to recover any losses.

Data protection is everyone’s business during Cybersecurity Awareness Month

October marks Cybersecurity Awareness Month, an annual reminder for businesses and individuals that cybersecurity risks are ever present and data protection is everyone’s responsibility.

Preventing data breaches can be as simple as managing password usage across multiple platforms and regularly checking for any compromises according to cybersecurity specialist Hayes Connor.

Kingsley Hayes, managing director at data breach and cybersecurity specialist Hayes Connor Solicitors, said: “There are simple measures that individuals and employees can implement to create more robust defences against cyber-attacks. That can include ensuring that passwords are regularly changed, avoiding duplicating the same password across multiple applications and using tools such as Google’s Password Checker on a frequent basis to check whether any of the passwords used have been involved in major data breaches.

“Cybersecurity is everyone’s business during an increasingly digitised era and the solutions can be as simple, and manageable, as taking care with password selection and usage. Many of us will use significant dates such as birthdays and anniversaries or pet’s names for passwords for example.

“This may have been perfectly safe and acceptable some years ago but, as hackers become increasingly sophisticated and more personal data is used, stored and shared online, using passwords that cannot be easily guessed is best practice.

“Google has recently made its Password Checkup feature more accessible building it into its Google account controls. These tools should be utilised for a monthly health check on passwords and any red flags acted on immediately.

“Data protection doesn’t have to be costly or complicated but simple measures such as this, taken by everyone on a regular basis, can prevent costly and damaging data breaches impacting individuals and businesses.”

Hayes Connor Solicitors was Highly Commended for Boutique Firm of the Year at the Modern Law Awards in January 2019.

The firm was recently appointed as data protection supplier to the Communication Workers Union and is currently acting for thousands of claimants with data breach action against Ticketmaster, Equifax, Marriott International, TeamSport, Dixons Carphone and the Police Federation of England and Wales.