Data breach by Stor-a-File affecting Lister Fertility Clinic, Marie Stopes and British Pregnancy Advisory Service
Leading data breach lawyers say that this month’s announcement by Stor-a-File, the document management firm, that data it held electronically for 13 organisations, had been hacked is likely to lead to substantial claims for compensation by those affected.
Posted on 23 November 2021
One of the organisations affected appears to be the Lister Fertility Clinic. In a letter sent to about 1,700 affected patients earlier this month, the clinic confirmed that it used Stor-a-File for the scanning of their patients’ and partners’ medical records and that they had been advised by Stor-a-File in October 2021 that its IT systems had been hacked by cyber-criminals in August 2021.
It is reported that notorious cyber-criminals known as Cl0p, thought to be based in Russia or a former Soviet Union country, were responsible for the hack, that they exploited outdated and vulnerable server software being used by Stor-a-File, that Cl0p had demanded a £3 million ransom in Bitcoin cryptocurrency and that, following Stor-a-File’s refusal to pay, they then released tens of thousands of files on to the dark web, a part of the internet used by criminals that is accessible with specialist software.
The clinic’s letter stated that affected medical records included consent forms, medical history and test results, recommendations for treatment, and fertility treatment records. While the letter stressed that no data belonging to Lister patients had been released and that Stor-a-File had been told by the cyber-criminals that "they don't intend to release medical records on the dark web", the clinic explained that it could obviously not guarantee this would not happen.
The identity of some, but not all, of the other affected organisations is known. Stor-a-File have confirmed that the same attack also affected the Nuffield Health Leicester Hospital. The hospital has stated that although data was taken as a result of the attack, no "medical scans, images, diagnostic, payment card or contact information about Nuffield Health patients have been published online".
It is reported that documents released on the dark web by Cl0p include “details of British women who have had abortions at clinics run by Marie Stopes and British Pregnancy Advisory Service (BPAS), including names, dates of birth, home addresses, phone numbers and even scans of foetuses”.
BPAS have confirmed that personal data relating to six women treated between 2013 and 2016 was hacked and the affected individuals have been contacted. Marie Stopes (now known as MSI Reproductive Choices) and BPAS state that they have informed all patients who may have been affected by the data breach.
It is also reported that “highly sensitive medical records including details of abortions, HIV tests and mental health issues have been leaked online” and that “other stolen records involve those suffering with anorexia, addiction and erectile dysfunction.”
It is also reported that a small number of NHS Trusts have been affected by the data breach.
In addition, the cyber criminals also claim to have stolen files containing the names of British military personnel in Kuwait and people who work in military intelligence.
The Information Commissioner's Office (ICO), the National Crime Agency (NCA) and the Leicestershire Police Department are all investigating the matter. The ICO have stated "People have the right to expect that organisations will handle their personal information securely and responsibly. We are thus enquiring into this incident so that such incidents are not repeated."
Sean Humber, a data breach specialist and partner at Leigh Day, who has successfully acted in a series of claims for patients relating to the unauthorised disclosure of confidential medical information over the past 20 years, stated:
“Details of this data breach are only slowly emerging. However, it seems increasingly clear that this is a very serious data breach, particularly in relation to the highly sensitive personal data accessed. Stor-a-File have failed to keep their customers’ data secure, as a result of which the very sensitive personal data of many individuals, most of whom were probably unaware that Stor-a-File were even handling their information, has been unlawfully accessed.
“On the face of it, Stor-a-File’s failure to keep this information secure seems a clear breach of the General Data Protection Regulation (GDPR). As such, those individuals affected are likely to be entitled to compensation for the distress and anxiety caused by the breach as well as any financial losses that they may have suffered. Given, in many cases, the sensitivity of the information, it is likely that this compensation will be substantial.
“It is important to remember that these claims for compensation by those affected are entirely separate from any regulatory fine that Stor-a-File may now face from the Information Commissioner’s Office for breaches of the GDPR.”
Gene Matthews, a partner at Leigh Day, who has successfully acted in a succession of group claims over the past 20 years, added:
“This is likely to be an uncertain and worrying time for those affected. It is important that Stor-a-File and their customers now keep affected individuals fully updated about the breach, including whether any of their information has been published on the dark web.”
If you have been affected by this data breach and wish to discuss, in complete confidence and without any obligation, bringing a claim for compensation on a “no win, no fee” basis then please get in touch by calling Sean Humber on 020 7650 1200.
If you prefer please complete our short enquiry form and we will get in touch.
Sean is an experienced human rights lawyer and privacy breach compensation claims specialist
Gene specialises in consumer law, product liability and data protection claims mainly brought as group claims/ multi-party actions