The Probe - Proudly serving the dental profession for over 60 years

Responding to a data breach

News

  Posted by: Dental Design      26th August 2021

Would you know what to do if your patient’s data was compromised by cybercriminals?

The Coronavirus pandemic has driven more crime online, according to the latest crime survey from the Office for National Statistics.

Despite a fall in other types of crime in England and Wales during the year to March 2021, there were an estimated 1.7 million computer misuse offences, up by 85% compared to the year ending March 2019. The increase was largely driven by a 162% rise in unauthorised access to personal information (including hacking) offences, including large-scale data breaches. 

Dental practices and other healthcare providers could represent a tempting target for criminals. Not only do they hold large amounts of sensitive personal information, but they might also be regarded as less secure. Healthcare organisations consistently report the highest number of data protection breaches (although this could also reflect a greater degree of transparency). The latest statistics from the ICO for 1 April – 30 June 2021 show there were 607 data security incidents in the healthcare sector (including 108 cyber security incidents) which was nearly double the number reported in the education sector.

The GDC expects dental professionals to “make sure that patients’ information is not revealed accidentally and that no-one has unauthorised access to it by storing it securely at all times” but if you believe your data protection defences have been breached, it is important to respond promptly and appropriately to limit the damage.

The DDU has put together a guide to dealing with a data breach which is summarised below:

Recognise what constitutes a data breach

The ICO defines a personal data breach as “a security incident that has affected the confidentiality, integrity or availability of personal data”. A personal data breach may belong to one or more of three categories.

Confidentiality – an unauthorised or accidental disclosure of or access to personal data. This type of breach is most common with patients’ records.

Availability – an accidental or loss of access to or destruction of personal data. For example, the sort of problem that might arise after a cyberattack that prevented access to and/or destroyed records.

Integrity – an unauthorised or accidental alteration of personal data.

Ensure all staff can recognise a data breach and understand that it is not just loss of personal data.

Ensure there are robust procedures to detect, investigate and report breaches.

All health service organisations in England with access to NHS data must use the Data Security and Protection Toolkit an online annual self-assessment tool that allows organisations to check they are practising good data security and that personal information is handled correctly. The Toolkit has been designed to identify data breaches that meet the threshold for notification and will report relevant incidents to NHS Digital, the Department of Health, the ICO and other regulators.

Report data breaches promptly

You must report data breaches which are likely to result in a “risk to the rights and freedoms of individuals” within 72 hours of becoming aware of the breach. The Guide to the Notification of Data Security and Protection Incidents explains how to do this and what to expect afterwards. Dental practices should use the ICO’s breach reporting service.

When you notify a breach, you will be required to provide information, including:

  • the categories and approximate number of individuals concerned
  • categories and approximate number of personal data records concerned
  • name and contact details of Data Protection Officer or other contact point
  • description of likely consequences of personal data breach
  • description of measures taken or proposed to be taken to deal with personal data breach, including measures to mitigate possible adverse effects.

The ICO advises organisations to consider reporting major cyber incidents to the National Cyber Security Centre (the NCSC) while incidents that might heighten the risk of fraud against individuals should be reported to Action Fraud or Police Scotland.

Inform affected patients if necessary

The GDPR states that you should inform the data subject if a breach is likely to result in a “high risk to their rights and freedoms” which is above the threshold which triggers a notification to the ICO. For example, you would usually need to inform patients if their records were accidentally disclosed because the sensitivity of the data and the potential for confidential medical details to become known to others.

Failure to respond properly to a data breach can result in significant harm and lead to a heavy fine. Practices are advised to contact their dental defence organisation if they have specific concerns about their data protection obligations.

About the author

Leo Briggs is the deputy head of the DDU

Join our
Mailing List

Sign up to our newsletter and keep up to date on the latest happenings in the dental market.

Sign up today

  • Recent Articles

    Shown below are the most recent articles from across The Probe website.

    Dental Design Products