May 2021 data breach round-up

Hayes Connor SolicitorsBy Legal Futures Associate Hayes Connor Solicitors

May was as busy a month as ever in the world of cybercrime and data breaches, with a number of different cases cropping up in a variety of sectors.

In May, there were a number of significant data breaches, including an airline exposing data belonging to 4.5 million of their customers, concerns over a data breach related to Covid vaccinations and a probe into a mental health clinic whose poor response led to client’s personal information being exposed.

Read on to learn more about some of the biggest data breaches to hit the UK in May 2021.

4.5 million people’s data exposed following IT system hack on Air India

In May, Air India disclosed the fact that it had experienced a data breach affecting at least 4.5 million customers after a sophisticated cyber-attack on their IT System.

As per Sky News, the details belonging to affected customers included names, passport information and payment details stretching back over 10 years. Air India claim that the compromised software was operated by SITA Passenger Service System.

SITA put out a statement acknowledging the hack at the beginning of March, but they did not specify how many people were affected or which airlines had fallen victim.

In a statement, Air India stated they were: “Investigating the data security incident, securing the compromised servers, engaging external specialists of data security incidents, notifying and liaising with the credit card issuers and resetting passwords of Air India Frequent Flyer Program.”

They also added: “While we and our data processor continue to take remedial actions including but not limited to the above, we would also encourage passengers to change passwords wherever applicable to ensure safety of their personal data.”

Covid vaccination booking site leaks medical data belonging to patients

NHS Digital are said to be revising its process for booking Covid vaccinations in England after it was discovered that users’ vaccination statuses could be easily breached due to poor security procedures.

The Guardian reported that users could make appointments on the website using their NHS number or, if they did not have that to hand, some basic personal information. However, in the process, users’ vaccination status was disclosed. So, an individual who had the basic personal details of a friend, colleague or stranger could find out whether or not they had received a vaccination – something that should be confidential.

A spokesperson said of the mater: “The NDG has contacted the organisations which run the website to ensure that they are aware of the concerns that have been raised and will discuss with them the twin important aims of protecting confidentiality whilst maintaining easy access to vaccinations for the public.”

NHS Digital also said that it was working on revising the pages, with a spokesperson stating: “The online ‘book a coronavirus vaccination’ service has enabled millions of people to book their vaccinations quickly and easily, with over 17m first and second dose appointments made in over four months.

“The system does not have any direct access to anyone’s medical record and people should not be fraudulently using the service – it should only be used by people booking their own vaccines or for someone who has knowingly provided their details for this purpose.”

Edinburgh mental health clinic in probe after client information is accessed in scam

An Edinburgh mental health clinic is at the centre of a probe after a phishing attack resulted in hundreds of clients’ contact details being accessed by an unauthorised third party.

Edinburgh Live reported The Edinburgh Practice has been accused of failing to properly notify patients of the attack, despite receiving various complaints. Dozens of services users at the clinic had previously raised concerns with the ICO when they received emails from scammers who sought to harvest their personal information through a virus disguised as an important document.

Police Scotland are understood to have launched an investigation into the incident through their cybercrime unit.

Dr Fiona Wilson, Clinical Director at the clinic said: “We want to assure our clients that we acted swiftly and decisively to deal with this issue.

“Given the nature of the services we provide, we take client confidentiality very seriously at The Edinburgh Practice and operate robust digital security and GDPR-compliant data practices. We have also implemented additional procedures to give us and our clients further assurance.

“Thankfully, the impact was minimised as far as possible, and we have worked with various cyber and security experts to deliver additional levels of protection.”

Senior medic at Liverpool Women’s Hospital loses private data belonging to patients

Miguel Martin Garcia, a senior medic at Liverpool Women’s Hospital was suspended after he lost sensitive patient data while carrying out a clinical trial without permission.

Mr Garcia used patient consent forms headed with the trust’s branding and took boxes of patient records to a private practice. Liverpool Echo report that this was done to avoid the process of obtaining research approval.

However, Mr Garcia later reported his own research data missing, which included two box folders of patient information from a gynaecological hospital. A disciplinary panel found that patient confidentially had been breached – though no harm ultimately came to any patients.

A ruling from the panel stated: “The Panel was satisfied that these were extremely serious breaches of the Trust’s patient confidentiality and data protection procedures.”

Misconfigured cloud services exposed 100 million Android users’ data

Security researchers discovered 23 separate Android applications that potentially exposed over 100 million users’ personal data through a number of ‘misconfigurations’ of third-party cloud services.

As per ITPro, the data exposed from the apps in question include emails, chat messages, location details, passwords and photos. Researchers have said that there were no protections in place to stop the unauthorised access from happening.

Google and the respective app developers were approached before this research was published to share the findings. Only a few of the apps have since changed their configurations following this report.

What to do if you or a client need help with a data breach

If you are looking for expert advice in relation to data breaches or you think you may have fallen victim to a data breach, the team at Hayes Connor will be on hand to provide you with the tailored advice you need.

Hayes Connor take on cases directly from clients, as well as taking on referrals from other law firms, where specific expertise in handling data breach claims is required to bring forward an effective case.

With a wealth of combined experience across our team, we know exactly how to handle all manner of data breach claims, no matter how big or small, reaching the best possible outcome for our clients.

To find out more about the team’s expertise, or to get in touch about a potential claim or client referral, please head to


Associate News is provided by Legal Futures Associates.
Find out about becoming an Associate


Loading animation