The target: The NHS, the United Kingdom’s national healthcare service provider.
The take: 284 records of personally identifiable information including: names, dates of birth, contact information, and hospital identification numbers.
The attack vector: The breach was the result of human error and internal process failure when a spreadsheet containing the personal information was accidentally emailed to thirty-one individuals outside the NHS.
This incident could have been avoided with the implementation of data classification controls – appropriate tagging of sensitive materials could have provided an additional stopgap before this document left internal systems. Ultimately, this breach serves as an important reminder that wherever sensitive personal data is in play, vetted processes should be implemented and followed, with regular training and reminders, to ensure its protection. It is an organization’s responsibility to provide the tools and training necessary to maintain safe and consistent approaches to handling data, and to impress upon staff the importance of adherence to procedure.