Cyber Incident Victim: NHS Wales
Date:
Oct 2016
Location:
United Kingdom
Summary
A cyberattack targeting a private contractor processing radiation dose data for NHS Wales staff resulted in the theft of personal information including names, dates of birth, National Insurance numbers, and radiation exposure records. The breach affected thousands of current and former employees across multiple health boards, including radiographers, cleaners, and support staff, as well as some private dental and veterinary personnel and NHS workers in other UK regions. Stolen data could potentially facilitate long-term identity fraud or financial crimes, according to cybersecurity experts. The health service described the incident as deeply disappointing, noting delays in notifying affected individuals after the contractor discovered the intrusion. Investigations were initiated alongside credit monitoring services for victims, with assurances that no patient data was compromised and that security measures had been strengthened post-attack.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In October 2016, an unauthorized third party illegally accessed computer servers operated by Landauer, a private contractor processing radiation dose meter badge data for NHS Wales staff. The breach resulted in the theft of personal details belonging to thousands of medical workers across Wales, England, and Scotland. Compromised data included full names, dates of birth, National Insurance numbers, and recorded radiation exposure levels. Affected individuals spanned radiographers, cleaners, and other personnel from most Welsh health boards, including approximately 530 staff at Velindre NHS Trust (which coordinated the radiation monitoring program) and 654 current and former employees at Betsi Cadwaladr University Health Board. Private dental and veterinary staff using the same monitoring service were also impacted. Landauer notified Velindre NHS Trust of the breach on January 17, 2017, though some affected workers reportedly weren't formally informed until early March 2017.
The data theft exposed victims to potential long-term identity fraud risks, as National Insurance numbers and birth dates could facilitate financial fraud applications. One anonymized radiographer described feeling their "whole life had been stolen," expressing concerns about attackers exploiting the information years later. Cybersecurity expert David Jones noted such immutable personal data holds enduring value for criminals compared to temporary financial credentials. Welsh NHS authorities launched investigations while coordinating with Landauer to implement enhanced security measures on UK IT networks. Affected staff received free 24-month credit monitoring through Experian. Velindre NHS Trust criticized Landauer's delayed breach notification, citing ongoing discussions about the communication lapse. Betsi Cadwaladr Health Board emphasized no patient data was compromised and that Landauer had swiftly secured its systems post-attack. The Welsh Government and Information Commissioner's Office were formally notified of the incident.