The most dangerous data breaches are often the quietest ones. While ransomware attacks make headlines, a security guard accessing files he shouldn\’t touch, a patient record sent to the wrong email, or medical forms left on an unattended desk can be equally devastating—and far more common. As Cybersecurity Awareness Month winds down, I initially thought we would pass through October without a major event underscoring its importance in the healthcare sector. I am glad I was wrong. On Wednesday, October 22nd, the Ministry of Industry, Innovation, Science and Technology (MIST), together with the Office of the Data Commissioner, will host a seminar on the Data Protection Act, 2019-29, and its implications for handling sensitive personal data.
The objectives of the seminar are to:
- Raise Awareness
- Promote Compliance and Best Practices
- Strengthen Accountability and Trust
- Highlight Sector Relevance
It is this fourth objective, highlighting the relevance to the healthcare sector, that I want to focus on in today’s column. Among all categories of personal data, healthcare data is the most sensitive and consequential. From a critical standpoint, it is perhaps the only type of data which, if left unguarded, can directly cost someone their life.
During a briefing to ambassadors on November 8th, 2024, Dr. Tedros Adhanom Ghebreyesus, Director-General of the World Health Organization (WHO), emphasized the devastating impact of cyberattacks on hospitals and healthcare services. He called for urgent and collective global action to address this growing crisis.
“Ransomware and other cyberattacks on hospitals and other health facilities are not just issues of security and confidentiality. They can be issues of life and death,” he stated.
Hackers understand that medical facilities, particularly hospitals, cannot afford downtime. Many operate on outdated systems, making them attractive targets for cybercriminals. According to Cisco’s Talos security unit, healthcare providers were the most targeted industry by ransomware worldwide over the past year. This trend is largely driven by underfunded cybersecurity budgets and the sector’s extremely low tolerance for service disruption.
While the most publicized local incident was the data breach at the Barbados Revenue Authority, disclosed on October 1, 2024, the most serious breach to date occurred at the Queen Elizabeth Hospital in December 2022. That attack disrupted critical IT systems and caused significant delays in medical services.
While data breaches are often viewed primarily as cybersecurity failures, that perspective only tells a fraction of the story. Under any Data Protection or Privacy Law, a data breach is not defined solely by a system compromise or malicious intrusion. It encompasses any unauthorised access, disclosure, alteration, or loss of personal data, whether caused by external attackers, internal mishandling, or simple human error.
This distinction is important because it shifts responsibility from the IT/Cybersecurity department alone to the entire organisation. A breach can occur when an employee sends a patient file to the wrong email address, leaves records unsecured on a desk, or fails to properly dispose of outdated medical forms. Each of these incidents represents a failure in data protection, even if no hacker was involved.
I remember a personal situation during the COVID period when a family member had to collect medical records on behalf of another. When they arrived, a security guard stopped them and asked them to wait outside while he retrieved the files. At the time, this might have seemed trivial to many, but it was in fact a breach of proper data handling practice. The guard was not authorised to access or manage sensitive medical information, and the front-desk clerk who handed the files to him also acted outside the appropriate boundaries of access control.
This example highlights a key point that is often overlooked. Data protection laws are not limited to digital systems or cybersecurity controls. They are concerned with the entire lifecycle of personal data and the procedures that govern how information is collected, stored, accessed, and shared. Whether a record exists on paper or in electronic form, the same duty of care applies.
The composition of the upcoming seminar appears to reflect a deliberate balance between cybersecurity practitioners and data governance specialists. The event will feature a diverse lineup of speakers representing some of the island’s leading minds in digital governance, law, and cybersecurity. Among them are Jabarry Garnes, a digital governance and transformation specialist focused on aligning law, data privacy, and technology to build accountable, citizen-centric institutions; Captain Donovan Smith, Head of the National Cybersecurity Unit, a seasoned telecommunications professional with extensive experience in network engineering and cyber resilience; and Ms. Lisa Greaves, the Data Commissioner, an attorney-at-law with more than twenty years of experience, whose office continues to champion public awareness of the Data Protection Act and its implications for both organisations and individuals.
These are just a few of the local experts who will be contributing to the discussion. It is a strong reminder that Barbados has the homegrown talent needed to shape its own path toward responsible digital transformation.
As the healthcare sector continues its digital transformation, the intersection of privacy and cybersecurity will define how public trust is maintained. The upcoming seminar signals that Barbados is moving beyond general awareness toward implementation, where policy must now translate into everyday practice.
Protecting sensitive data, especially in healthcare, requires more than technical safeguards. It demands leadership commitment, employee training, and a culture that values confidentiality as much as clinical care. Every staff member, from the front desk to the IT team, plays a role in ensuring patient information remains secure.
So, what are my hopes, expectations, and takeaways from this very important event? That regardless of turnout, the healthcare sector gives true weight to its responsibilities under the Data Protection Act and understands how data protection aligns directly with excellence in patient care. I hope this event will be one of many that foreshadow a greater evolution toward meaningful enforcement of the Act.
I do expect, however, that since we are quite good at putting on a show, the event will be well attended. My real hope is that the serious nature of its content will translate into more focused attention on not just cybersecurity, but on data governance.
The focus by the Ministry and the Office of the Data Commissioner is both timely and necessary. It reinforces that data protection is not an abstract legal concept but a core element of public service delivery and patient safety. The conversation starting on October 22nd should not end there. It should mark the beginning of a more structured national approach to privacy, one that combines strong governance, modern cybersecurity, and the local expertise that Barbados clearly possesses.