A former health advisor was charged with collecting the personal information of service recipients, specifically South Warwickshire NHS Foundation Trust patients.
Without a legitimate business reason, Mr. O'Brien improperly accessed patient medical records while performing his job duties.
Between June and December 2019, Mr. O'Brien saw the records of 14 patients without his employer's permission.
Christopher O'Brien appeared in front of the Coventry Magistrates' Court and entered a guilty plea to six charges of illegally acquiring personal information in violation of section 170 of the 2018 Data Protection Act.
He was ordered to pay a total of $3,000 in compensation, or £250 to each data subject.
Source: https://ico.org.uk/action-weve-taken/enforcement/christopher-o-brien/
TPRM report: https://scoringcyber.rankiteo.com/company/south-warwickshire-nhs-foundation-trust
"id": "sou2350151122",
"linkid": "south-warwickshire-nhs-foundation-trust",
"type": "Breach",
"date": "08/2022",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 14,
'industry': 'Healthcare',
'location': 'South Warwickshire',
'name': 'South Warwickshire NHS Foundation Trust',
'type': 'Healthcare Organization'}],
'attack_vector': 'Insider Threat',
'data_breach': {'number_of_records_exposed': 14,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Personal Information, Medical '
'Records'},
'description': 'A former health advisor was charged with collecting the '
'personal information of service recipients, specifically '
'South Warwickshire NHS Foundation Trust patients. Without a '
"legitimate business reason, Mr. O'Brien improperly accessed "
'patient medical records while performing his job duties. '
"Between June and December 2019, Mr. O'Brien saw the records "
"of 14 patients without his employer's permission. Christopher "
"O'Brien appeared in front of the Coventry Magistrates' Court "
'and entered a guilty plea to six charges of illegally '
'acquiring personal information in violation of section 170 of '
'the 2018 Data Protection Act. He was ordered to pay a total '
'of $3,000 in compensation, or £250 to each data subject.',
'impact': {'data_compromised': 'Personal Information, Medical Records',
'financial_loss': '$3,000',
'legal_liabilities': 'Violation of section 170 of the 2018 Data '
'Protection Act'},
'investigation_status': 'Resolved',
'motivation': 'Unspecified',
'post_incident_analysis': {'root_causes': 'Unauthorized access by an insider'},
'regulatory_compliance': {'legal_actions': 'Court proceedings and '
'compensation ordered',
'regulations_violated': 'Section 170 of the 2018 '
'Data Protection Act'},
'response': {'law_enforcement_notified': True},
'threat_actor': "Christopher O'Brien",
'title': 'Unauthorized Access to Patient Medical Records',
'type': 'Data Breach',
'vulnerability_exploited': 'Unauthorized Access'}