A fake phishing email sent out to all staff at one of the largest trusts in the country fooled 400 NHS staff into replying with confidential information.
The Leeds Teaching Hospitals NHS Trust undertook a cyber-security review exercise that included a counterfeit phishing email being sent out to all 17,000 staff. Some 2.3% of staff were lured into giving confidential information.
Revealed in the trust’s latest board papers, the Mersey Internal Audit Agency (MIAA) have produced a draft report for Leeds Teaching’s Audit Committee.
The papers said that 400 staff had handed over details including passwords to network credentials.
“Early results suggest we have good firewall protection but, like other organisations, are prone to human frailties in responding to suspicious emails.”
Tony Cobain, assistant director for informatics and infrastructure at MIAA, “stressed that in a real cyber-attack a breach and penetration could be achieved by one person responding to such a ‘phishing’ email”, the papers said.
A spokesman for Leeds Teaching said that the report was commissioned as part “of our continuous cyber security monitoring and assurance process”.