Has someone hacked the Princess of Wales' medical records?
An investigation has been launched into claims that health records relating to the Princess of Wales’ January stay in The London Clinic may have been improperly accessed, according to The Mirror newspaper. The investigation centers around “claims staff attempted to access her private medical records” in what would be a significant breach of security protocols.
03/21 updates below. This article was originally published on March 20.
The U.K. Information Commissioner’s Office has confirmed that it has “received a breach report” and is “assessing the information provided.” If the breach is found to have occurred, then the staff member or members responsible could find themselves in legal jeopardy, as it is a criminal offense to access patient records without the consent of the hospital data controller concerned.
Al Russell, chief executive of the London Clinic, has addressed the importance of patient confidentiality in a statement released to the press, but without any reference to the potential breach of Kate Middleton’s health records.
"We have systems in place to monitor the management of patient information,” Russell said, adding that in case of a breach, the appropriate investigator, regulatory, and disciplinary steps would be taken. “There is no place at our hospital for those who intentionally breach the trust of any of our patients or colleagues,“ Russell concluded.
Were Kate Middleton’s Health Records Hacked?
It’s easy to jump to conclusions so early in any such investigation, and when patient data is concerned thoughts naturally jump to hospital hackers. However, there is absolutely no evidence to support such a scenario.
The Mirror says that its inside sources have claimed that “up to three people” could be involved in the data breach. The same sources suggest that the alleged breach happened after the Princess of Wales had been discharged from the hospital, once the media interest went viral. So, for now at least, this looks like members of staff may have accessed the records without permission and for nefarious reasons rather than someone hacking into the network from the outside.
A Stark Reminder About Cybersecurity In Healthcare
Any situation such as this, where personal medical records at a prestigious hospital are reported to have been targeted for unauthorized access, “underscores a stark reminder about the paramount importance of cybersecurity hygiene and ethics in all aspects of healthcare,” Javvad Malik, lead security awareness advocate at KnowBe4, said.
If staff members did access the data, he added, the incident adds weight to the argument that there’s “a pressing need for rigorous cybersecurity measures and ongoing staff training to mitigate insider threats.”
Will The ICO Investigation Have Any Teeth?
Joe Jones, director of research and insights for the International Association of Privacy Professionals, said that “the seriousness with which the ICO approaches this breach will be a salutary and important reminder that employees with access to other people’s personal data do not equate to those employees having the necessary permissions and legal right to access and share that data.”
And any such investigation from the ICO will almost certainly want to consider the potential criminality of the incident. “Section 170 of the [U.K.] Data Protection Act 2018 says that a person commits an offense if they obtain or disclose personal data ‘without the consent of the controller,’” said Jon Baines, a senior data protection specialist at Mishcon de Reya. Any of the standard defenses against such charges seem moot, such as believing they had the right to access the data or that it was in the public interest to do so.
