Personal data has been used to respond to multiple challenges of the COVID-19 pandemic. Not only in information systems to fight against the spread of the virus and in the context of medical research but also, more widely, in all the daily uses of digital technology that have exploded since the first lockdown, whether it is social networks, videoconferencing or purchasing online.
Whilst it makes no doubt that data should be collected and shared to handle the pandemic, citizens’ rights still have to be guaranteed. To this end, the World Health Organization published guidance to strengthen health information systems[1].
Indeed, as a result of intensive data sharing, health data breaches became more frequent. One of the most recent examples of this phenomenon is illustrated by the Paris Hospitals (AP-HP) leak, that led authorities to warn last week 1.4 million patients affected by the theft of their personal data after a cyberattack this summer[2]. In the process, patients’ identities, social security numbers and contact details were stolen, as well as the identity and contact details of the healthcare professionals taking charge of them, the characteristics and the results of the tests carried out.
The main risk that would derive from such a hack is linked to phishing. Cybercriminals can send disguised emails to affected individuals and attempt to obtain new information such as passwords or bank details. Moreover, social security numbers contain a lot of information about individuals: it gives one’s gender, year, month, department and municipality of birth. By stealing this data, cybercriminals can therefore falsify documents to generate fake social security cards. The social security number is also used to access tax notices and income.
This isn’t the first time in the last few months that a healthcare flaw has been exploited by cybercriminals. Since the beginning of the pandemic, personal data has circulated more due to the increase in consultations, tests, and data sharing processes.
The healthcare industry is facing multiple data breaches and threats to citizens’ privacy. The Irish healthcare system has also been the target of cyberattacks this year, which had huge impacts[3]. Health workers did not have any other choice than continue working with paper records when IT systems were not accessible, the number of appointments dropped, and in the end, patients are deprived of care services. The NHS is not left unscathed and delayed its GP data scheme after backlash[4]. Regulators faced excess all around and the ICO, as other data protection authorities, has fined firms that breached data protection regulations taking advantage of the pandemic[5].
More data breaches and cyberattacks are expected in the coming years. Therefore, it is the governments and organisations’ responsibility to ensure that this data is safe. Citizens’ rights should not be sacrificed in the emergency and solid health systems will benefit society as a whole.
[1] WHO/Europe | Evidence-informed policy-making – The protection of personal data in health information systems – principles and processes for public health (2021)
[2] L’AP-HP porte plainte suite à une attaque informatique sur son service sécurisé de partage de fichiers | APHP
[3] Cyber-attack on Irish health service ‘catastrophic’ – BBC News
[4] NHS delays GP data scheme following backlash | Financial Times (ft.com)
[5] ICO fines firms for sending more than 2.7 million spam text messages during the pandemic | ICO
