Data Security Breach Advice

1813

Lorian said:

I have no experience of the NHS policy and I am not legally trained. In my experience this would not be a breach and certainly not notifiable to the ICO unless it contained further personal information. If I had done this I'd be expecting a ticking off, be told to ask the recipient to delete it, and expect some mandatory gdpr  re-training. 
Be careful though I've experienced people do far worse, and fear each day it will be me and I avoid ever emailing personally identifiable information for this reason.

Could you elaborate as to why this isn’t a breach of security in your own view I’d really appreciate it

1813

Thanks Mark I am waiting to hear back I haven’t gone in today as I was anxious about this situation but I have sent work an email I’m not actually an employee I am a bank worker and have said I want to resolve this matter through a meeting so I don’t work under a dark cloud as I was getting anxious and making mistakes yesterday and I do not want that to happen on top of this investigation. Therefore I feel it only right to get this resolved first and then move forward.

1813

Thanks Tellit01 

MattMattMattUK

lincroft1710 said:

Unless the email contained highly sensitive or personal information and the "wrong" John Smith is quite high in management or is a data protection officer, I am wondering why they would pursue this.

Contractual obligation to report? As far as I am aware most companies now make it a potential gross misconduct offence to not report a potential data breach. That being said they should not be telling the first person, they should be forwarding the email to the internal DPO and then deleting it. 

Dakta

1813 said:

Dakta, 

The email contained their name and hospital number, nothing more. I agree it is easy to make when the email address is similar by one digit so I do feel any logical person would arrive at that same conclusion and I have asked multiple people the same question and they have all come to the same conclusion. 

The part about keeping us safe is really sound as well because if email addresses are being used where the information is that close in nature, surely they are opening themselves up to data security breaches because these sorts of mistakes can happen, a very intriguing point. I argued that email addresses for everyone in the organisation should be unique or if you have the same surname perhaps use an alias or use another part of your name so this adds even more security to stop breaches.

definitely no malicious intent I just wanted to make sure the right person got the information so all I felt like I was doing was covering my bases. 

Thamks

Yeah i know what you mean, the reason I stated that was because I've worked in a few organisations that effectively 'ban' typing email addresses as part of operating practice unless it's an absolute first encounter, you use an address book, or click reply. You don't get shot over it but they basically trying to remove/phase the typing of email addresses manually out of it where possible because of this sort of thing.

You haven't exposed any personal health info by the sounds of it, two details of PII, a name and a number which as noted above probably have very limited value, it's a bit of a breach but it's not a cart you off to jail job and I think the recipient is being a bit dramatic to issue threats. An email to let you know you'd gotten the wrong email address would have done the job. 

I would still flag it for the sake of integrity, and I wouldn't want to predict the companies response but the reality is this is an anyone can do it mistake so just keep that at the front of your mind. You aren't the first and you're by far not going to be the last. 

General_Grant

1813 said:

Dakta, 

The email contained their name and hospital number, nothing more. I agree it is easy to make when the email address is similar by one digit so I do feel any logical person would arrive at that same conclusion and I have asked multiple people the same question and they have all come to the same conclusion. 

The part about keeping us safe is really sound as well because if email addresses are being used where the information is that close in nature, surely they are opening themselves up to data security breaches because these sorts of mistakes can happen, a very intriguing point. I argued that email addresses for everyone in the organisation should be unique or if you have the same surname perhaps use an alias or use another part of your name so this adds even more security to stop breaches.

definitely no malicious intent I just wanted to make sure the right person got the information so all I felt like I was doing was covering my bases. 

Thamks

It is some years since I worked in the NHS but I do recall that, because it is a very large organisation as far as the nhs.net email address is concerned, there will be a number of people with the actual same name (eg Mary Smith) and their addresses were distinguished with numbers.  It was just something to watch out for.

Using an alias or in some way changing their name would not, imho, make things better but could make it harder to select the correct person.

1813

Dakta said:

1813 said:

Dakta, 

The email contained their name and hospital number, nothing more. I agree it is easy to make when the email address is similar by one digit so I do feel any logical person would arrive at that same conclusion and I have asked multiple people the same question and they have all come to the same conclusion. 

The part about keeping us safe is really sound as well because if email addresses are being used where the information is that close in nature, surely they are opening themselves up to data security breaches because these sorts of mistakes can happen, a very intriguing point. I argued that email addresses for everyone in the organisation should be unique or if you have the same surname perhaps use an alias or use another part of your name so this adds even more security to stop breaches.

definitely no malicious intent I just wanted to make sure the right person got the information so all I felt like I was doing was covering my bases. 

Thamks

Yeah i know what you mean, the reason I stated that was because I've worked in a few organisations that effectively 'ban' typing email addresses as part of operating practice unless it's an absolute first encounter, you use an address book, or click reply. You don't get shot over it but they basically trying to remove/phase the typing of email addresses manually out of it where possible because of this sort of thing.

You haven't exposed any personal health info by the sounds of it, two details of PII, a name and a number which as noted above probably have very limited value, it's a bit of a breach but it's not a cart you off to jail job and I think the recipient is being a bit dramatic to issue threats. An email to let you know you'd gotten the wrong email address would have done the job. 

I would still flag it for the sake of integrity, and I wouldn't want to predict the companies response but the reality is this is an anyone can do it mistake so just keep that at the front of your mind. You aren't the first and you're by far not going to be the last. 

Wonderful response ty this is why I am also intrigued by the safety measures in place to protect staff against this and also is it fair to say that in light of potential breaches that training should have taken place to say to be aware of people who have the same name and that different individuals will use numbers? I do not think this is unreasonable and how are you to know that at all unless you are told? Where breach of security is concerned, I’d assume this would be really important, even at a basic level. 

I agree why not send an email to confirm you had the wrong address and why allow this to build so could the recipient also be in trouble if they allowed this to keep happening? I don’t know. 

Thanks, I know this sort of thing happens a lot and I honestly believe this offence is minor if anything plus I also believe that by allowing email addresses to be used in this way makes the potential for data breaching to be more likely and understandable so surely a process where each name is unique or at least more identifiable to the sender to identify their department, for example, would have been appropriate. I do regret my actions but I certainly do not feel guilty about them as it was an understandable error of judgment, especially where the address is different by 1 element and this is not explained adequately to staff to stop the potential for security breaches happening.

Dakta

Even if it were explained/training given, a single digit difference will always cause problems in the real world unless it becomes automated or there's a technical control to provide oversight IMO. But this could end up off topic  

main thing is you understand the seriousness and the potential implications (what if it was a medical record?) but I would definitely not to worry worry excessively. 

LightFlare

Personally if all that was sent was a name and number then the unintended recipient is being a bit of an ***

Our team get at least one of these a month and all we do is reply to the sender to inform them that we were unintended recipients

Plasticman

This is one of the most common causes of a data breach. You've sent some (not particularly sensitive) personal information to somebody internal. You've raised it with your manager. I've never worked in the NHS but in most organisations you'd just be asked to be more careful and maybe asked to do some data protection training. I'd relax and get on with your job.