[R] signifies the Member has declared an interest. [W] signifies that the question was tabled in Welsh.

I now call on Darren Millar to ask the fourth urgent question. Darren Millar.

Will the Cabinet Secretary make a statement on the data security breach affecting NHS staff using radiation dose meters? EAQ(5)0135(HWS)

Thank you for the question. The servers were provided by a third-party company named Landauer. They informed Velindre NHS Trust on 17 January 2017 that they had been subject to cybersecurity attack on 6 October 2016 and that staff information had been accessed. Landauer has confirmed that the breach occurred on its UK servers at its headquarters in Oxfordshire, and full details of the incident were provided to Velindre by Landauer on 26 January 2017.

Thank you for that statement, Cabinet Secretary. This is an astonishing data security breach affecting thousands of NHS workers right across Wales. At the moment, we know that NHS staff in the Betsi Cadwaladr University Local Health Board have been informed, all 654 of them. We know also that the Velindre trust has informed its members of staff, but, as yet, we’re unaware that other members of staff in all the other health boards across Wales have been actually informed. I wonder whether you could tell us today: when will they get to know about the fact that their personal details, including their dates of birth, national insurance numbers, alongside their names, have potentially been leaked to third parties and could be abused in terms of fraudulent activity? People can change their bank account numbers, they can change their passwords, but they cannot change their national insurance numbers. This is something that goes around with them for the rest of their life, and potentially this information could be misused five, 10, 15, 20 years down the line.

So, I wonder what action the Welsh Government is taking to ensure that health boards take their responsibility to inform staff very quickly seriously. Can you tell us why there has been a delay between the NHS having been informed of this breach and staff being informed? When did the Welsh Government first become aware of this data security breach, and why did we not receive at that time a briefing as Assembly Members in order that we could liaise with health boards and reassure our constituents about the problems that this might cause? And did the Welsh Government give instructions to sit on this information at all? I think these are important questions. I don’t doubt that there was some discussion between the Welsh Government and the health boards about this particular breach, but I wonder what advice was given to those health boards, when they became aware of the breach, about communicating with their staff. It’s very clearly the biggest data breech that I’ve ever been aware of in the NHS in Wales. It’s a serious breach, and we need to understand precisely how this happened and what can be done to prevent it from happening again in the future.

Thank you for that series of questions. Presiding Officer, it might be of help to confirm that I will issue a written statement to Members during the course of this week to provide some fuller detail, which I don’t think we’ll be able to deal with in today’s urgent question. I appreciate that a number of Members will have a range of questions and interests for their own constituents. But if I can be as helpful as I can in answering the series of questions that the Member has asked: the data breach is serious—of course it’s serious—and it’s a breach that affects staff in both England and Scotland as well as in Wales. The company involved provide an integrated service for a range of different healthcare organisations right across the UK. So, they take this seriously, but there are obvious questions to ask, and that I myself will want to be reassured on, about the time lag in the breach occurring, the company being aware and NHS Wales organisations being informed. There is a full and proper investigation that is being undertaken. I don’t think, in honesty, Presiding Officer, I’ll be able to inform Members of all those matters because I don’t expect that the investigation will be completed this week, but I’ll certainly reassure Members that, as soon as that information is available, I will provide a further statement to Members as well.

We should not forget that this breach took place as a result of a criminal act. I can also happily confirm that no instruction whatsoever has been provided by the Welsh Government to NHS Wales to sit on this information. I think that sort of accusation is deeply unhelpful, and there will be members of staff, who are our constituents, who will be worried, but NHS organisations inform us that they expect every single member of staff to be informed by the end of this week. Part of the challenge though, Presiding Officer, is that a number of the staff who were affected by data security breach no longer work for the national health service in Wales, as well. That explains part of the challenge, but obviously I’ll want current and former members of staff to be told as quickly as possible. As I say, I’ll provide a written statement within the course of this week, and subsequently when further and fuller detail is available.

Before I ask my question, can I remind the Chamber that my wife’s a radiographer and is therefore probably on that list of those whose data was breached? Cabinet Secretary, thank you for the answers you’ve given, and I look forward to the written statements you’ll be providing. But, clearly, as well as the data breach issues, there are questions as to what type of information was held and what type of information should be held, because I don’t think that the information I’m hearing about is appropriate for such a database, in that sense. What is the Welsh Government doing to ensure that, in future, the data that are going to be held on personnel are only relevant to the particular topic that they are being held for, and not actually on a wider basis. For example, I’m hearing about perhaps even addresses. Well, people’s addresses are not relevant to this information. So, it is important that we clarify what data is going on, and will he undertake a survey and a review of that type of data to ensure that, in future, only relevant data are held on individuals for particular purposes?

And can he also ensure that people are informed? You’ve indicated this week that they will be. My wife, when I spoke to her yesterday—she was off yesterday—hadn’t been informed of the breach, and therefore I’m assuming her colleagues hadn’t been informed of the breach in ABMU. In that sense, it is important that people are told what information is being held about them, what could have be lost on their behalf, so that they can review that information. Because, I’m hearing that Landauer are actually offering two years free access to Experian. Well, this could be longer than that to start with, and why should somebody have to keep looking at this website day after day to see if they’re in risk of actually having their identity stolen?

There are transparently serious consequences that flow from the data breach, and, for example, the national insurance numbers were used in order to have a unique identifier for individuals, because this is about tracking the individual’s exposure to radiation. So, you need a unique identifier, and there are challenges to review, again, how that is done. I also accept that there are challenges to be properly dealt with about the appropriate level of personal information to be kept and transferred, and then to ensure that people are properly informed, not just at this point in time, but I accept that this is not something that is necessarily going to just disappear over a period of months. So, there are plainly questions to resolve, and, as I said, Presiding Officer, I don’t think I can honestly give Members all of the answers to the questions they will quite rightly have and expect to be answered. That is why I’ll issue a written statement now and I’ll issue any further statement once that full and proper investigation has been done, because the questions David Rees raises are entirely understandable, and Members across this Chamber will have those concerns on behalf of their constituents, regardless of whether they are relevant or not. But, they are entirely fair questions.

Cabinet Secretary, this is the latest data breach to hit our health service, and this particular breach is devastating for the staff concerned. Although no patient data were involved on this occasion, it does highlight the concerns of many that the NHS cannot be trusted with personal information. Earlier this month, a former nurse was sacked by Hywel Dda university health board for breaching patient confidentiality. Yesterday, we learned that a north Wales physiotherapist has been suspended for removing patient files without consent. Cabinet Secretary, these data breaches do little to restore faith amongst the Welsh public that their sensitive health information is in safe hands with the Welsh NHS. Other countries have introduced legislation protecting health information over and above the existing data protection legislation. Do you think it’s time that we followed suit so that we can reassure the Welsh public and NHS staff that their sensitive information is safe?

I do try to be constructive in response, Presiding Officer, but I think that much of what was just said was deeply unhelpful. The accusation that the NHS cannot be trusted with information and then trying to draw a link between a data breach from a criminal act, where, of course, we want to ensure that cybersecurity on sensitive information is appropriate and up-to-date, as far as possible, against what we know is a continually evolving criminal community who are acquiring these data—to try to draw a link between that and individual professionals who have failed in their duty to their profession and to the people they are responsible to and for, I just think is deeply unhelpful. I do not accept that there is an appropriate link to be drawn.

Rather than attempting to scare members of the public about the safety of NHS data and suggesting the answer lies in the law—I don’t think the answer does lie in the law. It’s about our systems for protecting those data and in providing assurance for people who access those data that they can be trusted. If they breach their very clear obligations, either as employees, as healthcare professionals or in terms of breaching the law, then they can expect to be pursued for those breaches, but, actually, the important point about health data is of course you want them to be secure, but we want them to be shared. Members regularly ask me in committee and in this Chamber, ‘How can we ensure that health data and information are shared between healthcare professionals, because there is much healthcare gain to be made in the sharing of those data?’ We want secure systems, we want professionals who can be trusted and held accountable if they breach those obligations, and that is the basis on which I will continue to act in balancing all of those different aspects, but ensuring, ultimately, the best interests of the patient will guide what we do and do not do.

I feel great sympathy towards the individuals working in the NHS who have been affected in this way and also, of course, those who are working outside the NHS in Wales who also have been affected. I do, however, think that the Velindre hospital trust that runs the radiation protection service based in my constituency of Cardiff North has responded appropriately to this incident, which was, of course, beyond their control. I do feel reassured that, certainly in the case of the Velindre staff who have been affected, enough support has been given to the 530 individuals affected. I know that as well as having the letter—individual letters sent to the individuals involved—there has also been the opportunity for individual consultation with all those people affected where they can ask any particular questions and can raise any queries. So, would the Cabinet Secretary agree that the other health boards that are in the process of informing their members of staff that this breach may have occurred—that individual consultation is also offered, because I think that is a way of reassuring, so that they are able to have face-to-face meetings?

Also, I think that it is important, obviously, that individuals are informed as swiftly as possible, but it’s also very important that the right individuals, at the right addresses and in the right trusts are informed. With the thousands who have been affected by this, it’s absolutely essential that there is time to establish that you are not, for example, contacting somebody who may have died in the interim, but you are actually contacting somebody who is actually there, working in the trust, and has been affected by this. So, there is bound to be an inevitable time lag while all these details are looked into. Would the Cabinet Secretary agree that it is essential that care is taken over reaching the individuals involved, but that it should be done as quickly as possible?

I thank the Member for pointing out the balance to be struck in ensuring that people are informed as soon as possible and, at the same time, that there is accuracy in those people that are informed. You’re right; over 3,000 NHS staff have been affected, but there are a number of people outside the NHS affected as well. I do think that other health organisations could look at what Velindre have done in providing the support and guidance that you mentioned, and also the fact that all Velindre staff have now been contacted and provided with that support and guidance. I believe that Velindre have also managed to write to their former staff now as well. So, there does need to be care taken and attention paid when reaching staff within and outside the NHS—those who are no longer employed by the NHS—ensuring that there is real accuracy in that and, of course, that those members are updated as the picture evolves as to what happened and why, and what will then be done afterwards as a consequence.

I draw Members’ attention to my register of interests and my wife’s employment as a radiographer. Can I welcome his reassurances today, but also the fact that he’ll bring forward a more detailed written statement? I suspect that we may have to come back at some point in the future as well with an even more detailed statement. Perhaps some of the questions I have might help guide his subsequent responses. First of all, do we know now the full extent of those who have been affected by this data attack—this cyber-attack—or do we feel that it could actually spread beyond those that have already been reported in the press and media? Secondly, have all those who have been affected—that we know have been affected—been informed? It would be good to get that reassurance. Secondly, if not now, how soon can those who suspect that they may have been affected, but actually are in the clear, be informed that they have nothing to worry about? Thirdly, do we know that this is, or will the investigation tell us whether this is the result of an aggressive cyber-attack that could not be defended against? Or if we find that, actually, this is a—. We don’t know this yet, but if the investigation turns up that this is a lapse in the defence and the levels of defence that were there, what liabilities does the private company or the health board have to those people who are affected? Finally, looking further ahead, and following the questions from Darren, knowing that the repercussions of this could spread, not in the months ahead but the years ahead, could we seek some assurance of what responsibility and what liability the company, the health board and others may have to those individuals who may be affected, who may be affected by data theft, credit loss and many other more serious eventualities way down the line? What protections are they now given because of this data breach?

I thank the Member for the series of questions. I believe that the figures published are accurate. They identify the—. Our understanding is that over 4,700 staff in Wales had their data stolen from the server of the private contractor—as I say, from their servers based in Oxfordshire. I’m not aware of those affected in Scotland or in England. Those are matters for colleagues in the UK Government and in the Scottish Government. Again, I’m happy to say that my understanding and expectations are that, by the end of this week, all staff who have not been informed will have been, and that should provide reassurance to people that have not been informed. But I take on board the point that there will be people who will be genuinely concerned about whether their data has been accessed and they have not been informed as of yet.

On your finishing point on whether or not there is potential liability, well, that’s what we will need to understand as the report concludes, as to what happened in this instance, how promptly action was or was not taken, and then ultimately the respective obligations of both the NHS and the contractor. This is a specialist contractor who provides healthcare services of this type, as I say, within the UK, but also on a global basis as well. It is my understanding this is not a data breach that results from a careless leaving of a disk or a pen drive in a public place, as we’ve seen, sadly, in the recent past, but that this was a cyber-attack upon the servers. So, it’s not a case of data being left carelessly, but of course we want to look at what sort of cybersecurity this particular company had at the time, and equally, I know that Members want to be reassured that there has been an appropriate response to the attack that has taken place. So, as I say, I’ll provide as much information as I can do to be helpful in my first written statement, but as I’ve said earlier, I expect to provide a second written statement once a report is available and we’re able to share that with Members and the wider public, who will understandably be concerned.

Thank you, Cabinet Secretary.