Question to the Department of Health and Social Care:
To ask His Majesty's Government, in the NHS database hack by Qilin in June, (1) how many individual patients' data were hacked, (2) whether data were hacked that could be used to identify any individual, (3) whether, and what, medical information was hacked, and (4) whether any results were hacked and, if so, what type of results.
The data leaked following the cyber-attack on Synnovis is still being investigated by Synnovis. This involves interrogation to identify the personal data that has been affected. The complexity of the investigation means it will take time for Synnovis to clarify and identify which individuals and organisations have been impacted and the nature of the data.
We understand that the data leaked in the Synnovis cyber-attack was not taken from a single database but was a partial copy of content from Synnovis’s administrative working drives.
When any databases which contain personal data are established by an organisation, the organisation has its own legal responsibilities as a controller of the data to ensure data protection by design and default in the design and development of a database, and to carry out a data protection impact assessment (DPIA) under UK General Data Protection Regulation. A DPIA includes an assessment of any risks to individuals, and how these risks are mitigated.