A data leak earlier this year saw the personal data and even laboratory test results of some 6,000 patients posted online, said the National Institute for Health and Welfare (THL) on Tuesday.
The data ombudsman informed THL of the leak in August. The institute then removed the data from two online services where the data had been available to view.
Read more on YLE.fi.
The following is the full statement by THL:
Confidential personal information was leaked online from the National Institute for Health and Welfare. The National Institute for Health and Welfare was informed about the incident by the Office of the Data Protection Ombudsman. The information was removed from the internet immediately upon discovering what had happened.
As a result of the data leak, which was caused by a human error, the names, personal identity codes and one laboratory result of nearly 6,000 people became publicly available online. The laboratory result indicates the capacity of a bacterium to resist an antibiotic (antimicrobial resistance). The information did not include any addresses or medical records.
The National Institute for Health and Welfare is doing everything in its power to ensure that no harm will be caused to those affected by the incident and that no similar incident can occur in the future.
What has been done about this issue?
- When it was discovered that data had been leaked, the data were removed immediately from the two online services where they could be found.
- Based on a request by the National Institute for Health and Welfare, the search engine operators instantly removed the links to the information from the search engine memory.
- The National Institute for Health and Welfare has commissioned a long-term, careful monitoring of all public websites to any remaining leaked confidential information and delete it from the internet. None has been found so far. The monitoring will be continued until further notice.
- We have sent a letter to those subject to the data leak on Monday 25 September. In the letter, we report what happened, provide operating instructions and apologise for the incident.
- As a precautionary measure, the letter recipients have been provided with instructions to follow their invoicing and credit and debit card information.
- The time for contacting the parties concerned was selected to allow enough time for performing extensive monitoring of the internet. These measures were taken to ensure the data protection of those affected by the incident to the best possible extent.
A case of a human error in the processing of personal information
The leak was not caused by a data breach but, instead, a human error in the processing of personal information. The employee who had been processing the data had used the information containing personal identification codes for statutory work purposes. The data leak did not occur directly from the register system. The error occurred as the employee was mistakenly using data containing personal information when preparing presentation material for reporting purposes.
The National Institute for Health and Welfare has obtained the information from different laboratories for the purpose of its statutory duties laid down in the Communicable Diseases Act, such as regulatory reporting.
“I apologise that confidential information ended up online and any concern caused to those subject to the data leak. The National Institute for Health and Welfare is responsible for the incident. We take information security extremely seriously and are checking our internal processes related to it in order to ensure that nothing like this will happen in the future”, says Director General Juhani Eskola.
Due to data protection reasons, the National Institute for Health and Welfare cannot provide more specific details of the incident. This aims to prevent any possible damage caused to those subject to the data leak. No misuse of the information that was available online has come to the attention of the National Institute for Health and Welfare.
For interview requests, call the Communications hotline at +358 (0)29 524 6161.
You have to go to the FAQ to finally get an answer as to when the data were first exposed:
When was the information leaked? How long was it available online?
The personal identity codes could be found via online search engines since April 2017. The National Institute for Health and Welfare was informed about the data leak in August 2017. The data were removed immediately from the two online services where they were stored as well as from online search engine caches.