Barking, Havering and Redbridge University Hospitals NHS Trust (BHRUT), which runs Queen’s and King George Hospitals, has revealed that there is a “risk some personal data has been compromised”.
The trust said today (December 5) that details of invoices and payments to customers and suppliers were among stolen files, which include names and addresses of some patients and members of staff, posted on the dark web.
Patient data included belongs to some of those who were liable to pay for their tests or treatment, and staff members including those who owe money to the trust after receiving an overpayment.
A “large proportion” of the stolen data has been reported to be made up of lists of suppliers of goods and services with details “already in the public domain”.
A BHRUT spokesperson said: “We are sorry this has happened and we are taking it extremely seriously.
“Barts Health manages the contract for us with Oracle, the supplier of our financial management system.
“We are working with NHS England, the National Cyber Security Centre, the Met Police Cyber Incident Team, and the National Crime Agency. The breach has also been reported to the relevant regulators including the Information Commissioner’s Office.”
Barts Health is understood to be seeking a High Court order to ban the publication, use and distribution of the data by anyone.
It is unclear when the data was stolen, but it has been reported by BHRUT that this was possible through a “loophole” on the Oracle E-Business Suite software that was “exploited”.
This has now been removed.
BHRUT wrote: “A few days after Barts Health learnt about the theft, they discovered our data was included and informed us. We’ve been working at pace, seven days a week, to identify those who have been affected.
“We will contact directly those who are most at risk.
“We’re taking steps with Barts Health and our suppliers to try to ensure it doesn’t happen again.”
Clinical systems belonging to the trust have not been affected, nor has the newly rolled-out electronic patient record.
The stolen data has not been shared to the general internet and is only retrievable by those who can access compressed files on the encrypted dark web.
BHRUT has warned however that whilst the details “do not give direct access to anyone’s accounts”, they could be used to trick people into sharing sensitive information or making payments.
