Thousands of National Health Service (NHS) staffers in Wales have had their personal details stolen after a hacker accessed the servers of a private contractor and pilfered names, dates of birth, national insurance numbers and data taken from work with medical technology.
The contractor in question, called Landauer, provides radiation safety products and services to multiple sectors including healthcare, education and national security. According to its website, the company provides its customers with "market-leading technology".
On 13 March, the BBC revealed that a malware implant compromised records of staff at "most health boards in Wales" – including radiographers who use Landauer systems to monitor their exposure levels while conducting X-rays.
NHS Wales said not every staff member was impacted in the same way as a different combination of data was being held on each medical professional. Victims included over 500 people working at Velindre NHS Trust and 654 staff at Betsi Cadwaladr University Health Board, it emerged.
A breach notification was sent by Landauer to the Velindre Hospital, a specialist cancer treatment centre, on 4 January this year.
"We are writing to inform you of a recent data security attack that was made on one of Landauer's UK servers," it said. "An unknown third party was able to install malware onto the server which made a copy of data."
In a statement, Public Health Wales told IBTimes UK: "[We have] been notified of a data breach relating to staff details held by a third party company.
"This affects only a small number of our staff, who have been directly notified of the issue, and is not due to any of our own information security being breached. Our other staff and service users are unaffected by this."
The Welsh NHS said the incident was "deeply disappointing" and officials have voiced concern that it took months for the cyberattack to be revealed in full. Staff were reportedly told in early March about the breach, which first occurred in October last year, the BBC reported.
The Velindre health trust, meanwhile, not informed until 17 January.
Andrea Hague, director at the Velindre health trust, said the reasons for the notification delay is the subject of "ongoing discussions with the host company." The Welsh government has been informed and further independent probes are now underway.
An ICO spokesperson told IBTimes UK: "We are aware of this incident and are making enquiries. The organisations impacted should be informing staff if they have been affected.
"There are measures people can take to guard against identity theft, for instance being vigilant around items on their credit card statements or checking their credit ratings. There are more tips and information on our website."
Spokespersons for the Velindre NHS Trust and Betsi Cadwaladr University Health Board have stressed that no patient data was exposed in the hack.
A Betsi Cadwaladr spokesperson said: "We have contacted all the staff affected to reassure them that Landauer has acted swiftly to secure its servers and that, since the attack, it has undertaken significant measures in connection with its UK IT network."
Darren Millar, politician for the Clwyd West constituency, spoke out about the months-long delay in telling affected medical professionals their data had been stolen.
"This really is an astonishing data security breach," he said. "You've got thousands of NHS workers who've had their personal details compromised. The delays in informing those who've been affected are completely unacceptable."
IBTimes UK contacted Landauer for comment however had received no response at the time of publication.