Healthcare worst data leak offender

New findings by data breach experts reveal ongoing compliance challenges within the health sector, highlighting the continual need for businesses to train their staff on basic data handling practices.

Data breach solicitors Hayes Connor delved into data breaches, which have been tracked by the Information Commissioner’s Office (ICO) since 2019, to find which sectors experienced the most data breaches last year and beyond.

It found the health sector are frequent violators, coming in first place for data breaches in 2023 (see the top ten offenders in the box on the right). 

Hayes Connor’s study found the health sector made up around one-in-five reported data breach cases last year. On average across the five-year span, the health sector remains at the top of the list year on year, at almost one-in-five cases from 2019 to 2023.

Lawyers found basic personal identifiable data was the most common type of data being breached within health sector data breaches last year, making up 73.21% of data breaches. The second highest form of data breaches involved health data, at 61.66%.

Nearly a fifth of total data breaches in 2023 involved children’s data. This is considered particularly sensitive due to the fact children are less aware of the safeguards, consequences and risks regarding personal data processing.

In the health sector last year, 142 cases involved children’s data, making up 7.36% of health incidents.

Unauthorised access

The findings also showed the different incident types behind the data breaches. The number-one reason behind data breaches within the health sector was through unauthorised access, which made up 18.70% of the health data breach cases in 2023.

Data emailed to the wrong recipient showed up as the second most common incident type for this sector, at 16.22%. 

Hayes Connor said this demonstrates how human error plays a huge role in many data breach cases in the UK, and therefore the importance of internal business training.

It added: ‘It is important to bear in mind that part of the 2018 General Data Protection Regul­ations require businesses to report a data breach within 72 hours. Failure to notify a breach when required to do so can result in a significant fine of up to £18m or 4% of your global turnover.

Large fines

‘Concerningly, in the health sector, it’s taking over 72 hours to report 43.88% of their data breaches. This is leaving the sector vulnerable to large fines.’

Hayes Connor legal director Richard Forrest said: ‘Another year, another representation of how many organisations across all sectors are still failing to implement effective security protocols, leaving personal data vulnerable to breaches which have significant legal and financial repercussions for the entities involved. 

‘Despite regulatory advancements and the introduction of stricter compliance mechanisms, the rate of data breaches remains a serious concern. 

‘The recent ICO trends portray a continuous need for vigilance and updated compliance strategies from businesses, especially in how they manage and protect personal data against emerging cyber threats and human error.’