In December, a document – which included names, addresses, phone numbers, email addresses and some payroll numbers of 24,099 employees and locums – was sent as an email attachment to an undisclosed number of Well locums.
C+D readers have flagged they have been contacted by Well to inform them that some of their data was included in the emailed document, despite not having worked for the multiple for more than five years in some cases.
Chris Ellett, Well transformation director and senior information risk owner, told C+D yesterday (February 5) the multiple is required to retain data “for a variety of regulatory purposes, the main one being HM Revenue and Customs, who require us to keep records for seven years”.
“We are analysing the data in [our system] to identify records that are older than that, for locums who would consider themselves dormant, and will take appropriate steps for the records we find,” Mr Ellett said.
Well “continuing to work with ICO”
Well has contacted the “majority of affected data subjects” by email or post, and will “continue to make further attempts where mail has been returned to sender”, Mr Ellett said.
The multiple has taken steps to reduce the risk of another, similar incident occurring, he added.
“Well Pharmacy continues to work with the Information Commissioner’s Office (ICO) in respect of the breach, and have been completely transparent about the findings of our investigation.
“We appreciate that the ICO is dealing with a large volume of work following the implementation of the General Data Protection Regulation, and we will respond to any actions they recommend,” Mr Ellett added.