Hacking attack on UK medical group results in 480,000 patient records being accessed

April 17, 2014 |

The UK Telegraph reports in Hackers steal 500k patient records from Harley Medical Group that personal information relating to 480,000 patients of the Harley Medical Group have been accessed by hackers.  Medical records are defined as sensitive information in the Privacy Act 1988.  They are universally regarded as very confidential and the breach or misuse of medical files is generally regarded as in the category of the most serious privacy breaches.  Doctor patient confidentiality is part of the canon of medical ethics, has long been recognised at common law and, relatively, more recently received statutory recognition. That of course doesn’t prevent general practitioners and surgeons to make mistakes with patient records.  Where the real problems arise is the management of records by private health organisations, be they medical groups, insurers, hospitals or agencies and departments.  With those groups there is a danger of treating patient records as just another form of data.  Which they are most definitely not.  Regulators take a very dim view of data breaches of medical records.  As they should.  It will be interesting to see how the Privacy Commissioner exercises his newly acquired powers when there is a breach of medical confidentiality through a breach of security or other form of interferences with privacy.

The article provides:

The personal details of nearly half a million people considering cosmetic surgery may have been accessed by hackers, it has emerged.

Cyber criminals reportedly gained access to servers belonging to the Harley Medical Group, which has 21 clinics across the UK, and extracted some 480,000 records from its website enquiry form.

This includes prospective clients’ names, addresses, dates of birth, email addresses and telephone numbers, as well as details of the type of cosmetic procedure they were interested in.

Harley Medical Group said in a letter to customers affected that no clinical or financial information was accessed, and that it had informed the police and the UK’s Information Commissioner’s Office (ICO) about the data breach.

“We acted immediately when we became aware that an individual had deliberately bypassed our website security, gaining access to contact information from initial inquiries, in an attempt to extort money from the company,” said Harley Medical Group’s chairman Peter Boddy.

“We have taken action to further strengthen the security around website inquiries.”

Details on how the hackers managed to access the data have not been made public, but there is currently no suggestion that it is linked to the Heartbleed bug, which has been making headlines over the last two weeks.

A report in The Sun suggests that the hackers used a Russian email address to try and extort money from the Harley Medical Group, and that stars of The Only Way is Essex were among customers whose details were leaked.

Security expert Graham Cluley put the breach down to “sloppy security” on the part of Harley Medical Group, suggesting that it failed to protect its customers’ information.

“If you’re considering having a tummy tuck, a breast enlargement or some other form of cosmetic surgery, chances are that you want to keep the treatment private,” Cluley wrote in a post on BitDefender’s HotForSecurity blog.

“Such information could be used not just to embarrass an individual, but also – potentially – to extort money from them,” he said.

“Furthermore, the private information could be sold to tabloid newspapers or entertainment websites which are scrabbling for some showbiz tittle tattle to fill their pages.”

The Information Commissioner’s Office confirmed that it would be making enquiries into the incident.

  Harley has taken proactive steps to address concerns regarding the breach and do some reputational rebuilding with a letter from the Chairman which provides:

Leave a Reply