Saturday 20 April 2019

Alert as 170,000 blood donor files are stolen

Breda Heffernan and Edel Kennedy

A laptop with the confidential records of more than 170,000 Irish blood donors and 3,200 patients has been stolen in New York.

The Irish Blood Transfusion Service (IBTS) last night admitted it was "deeply concerned" by what is the first major data protection scandal to hit Ireland.

The IBTS will be writing to all donors concerned this week, warning that their information could be accessed by criminals who made off with the laptop.

But last night, a leading data- protection expert warned that the IBTS could be open to a flood of lawsuits if the confidential records are made public.

He also questioned why the data was taken out of the country and out of the possession of the board in the first place.

The expert queried why personal data was used during a software update when other less sensitive material might have sufficed.

The information stolen includes names, genders, dates and places of birth, telephone numbers and the blood groups of all those who made donations during a three-month period last year.

Embarrassingly for the board, the records were stolen from a worker at a New York blood bank which had been contracted to upgrade its software. The worker was mugged outside his home while in possession of a laptop containing the sensitive information on February 7.

A police investigation has so far failed to recover the missing computer and those affected have not yet been informed.

The files relate to 174,324 donor records and 3,294 patient blood group records made between July 2 and October 11 last year.

This latest breach comes after the Irish Independent revealed earlier this month that more than 80 Government laptops have either been stolen or are missing.

The Government denied that any personal data had been lost in those instances.

However, Britain has been rocked by recent data protection scandals including the Ministry of Defence loss of three laptops, and the loss of Child Benefit data, containing personal information on millions of people.

The IBTS was forced to issue a statement on the lost blood records on foot of a series of questions put to it by the Irish Independent yesterday.

A spokesperson for the board sought to reassure unwitting donors, stressing that the files are heavily encrypted. However, she conceded that there is still a possibility that the personal information could be accessed by an outside party.

"We are always aware of the potential for data loss and took all measures to ensure that state-of-the-art data encryption was used. The records were on a CD that was encrypted with a 256-bit encryption key," she said.

Encrypted

"These records were transferred to a laptop and re-encrypted with an AES 256-bit encryption key. This represents one of the highest levels of security available and to our knowledge there is no record of a successful attack against this level of encryption."

Data Protection Commissioner Billy Hawkes was alerted to the breach of security four days after the robbery. However, those donors and patients affected by the blunder will only be alerted two weeks after the fact ,with letters due to be posted on Friday. The board had sent the data to the New York Blood Centre (NYBC), a public service blood bank, in order to upgrade the software used to analyse donor information.

An agreement between the two sides set out details of the "robust measures" which the NYBC was supposed to take to ensure its safety. It was, however, allowed to store the information on laptops which could then be taken outside the centre.

Appropriate

Professor Robert Clark, an expert in Data Protection Law at UCD, last night said a number of questions arise from the theft.

"Why did it (the information) go to the US in the first place? Were the appropriate legal safeguards in place? Why was the laptop transferred to someone else and not still in the possession of the IBTS? "

He said blood donors can take some comfort in the fact that the CD was encrypted. However, he warned that a computer expert could theoretically access the personal information.

"It all depends on the level of encryption. If the level is high enough it shouldn't be possible. But nobody should be carrying around information of that nature because it could be capable of being decrypted," he warned.

He added that there is an agreement between the US and the EU which allows for the sharing of some personal data, but questioned why personal data would be brought to another jurisdiction for technical reasons.

A spokesperson for the board said: "We are writing to each donor affected by this incident to reassure them and to advise them of the possibility, however remote, that their personal data might be accessed.

Donors can also contact an information line 1850 731 137.

Editor's Choice

Also in Irish News