When Data Protection Becomes a Matter of Life and Death

The most dangerous data breaches are often the quietest ones. While ransomware attacks make headlines, a security guard accessing files he shouldn’t touch, a patient record sent to the wrong email, or medical forms left on an unattended desk can be equally devastating—and far more common.

Initially, I thought we would pass through October 2025 without a major event underscoring the importance of Cybersecurity Awareness Month in the healthcare sector. I am glad I was wrong. On Wednesday, October 22nd, the Ministry of Industry, Innovation, Science and Technology (MIST), together with the Office of the Data Commissioner, hosted a seminar on the Data Protection Act, 2019-29, and its implications for handling sensitive personal data.

The objectives of the seminar were to:

1. Raise Awareness
2. Promote Compliance and Best Practices
3. Strengthen Accountability and Trust
4. Highlight Sector Relevance

It is this fourth objective—highlighting relevance to the healthcare sector—that I want to focus on. Among all categories of personal data, healthcare information is the most sensitive. From a critical standpoint, it is perhaps the only type of data which, if left unguarded, can directly cost someone their life.

A Matter of Life and Death

During a briefing to ambassadors on November 8th, 2024, Dr. Tedros Adhanom Ghebreyesus, Director-General of the World Health Organization (WHO), emphasized the devastating impact of cyberattacks on hospitals. He called for urgent global action to address this growing crisis. “Ransomware and other cyberattacks on hospitals… are not just issues of security and confidentiality. They can be issues of life and death,” he stated.

Hackers understand that medical facilities cannot afford downtime. Many operate on outdated systems, making them attractive targets. According to Cisco’s Talos security unit, healthcare providers were the most targeted industry by ransomware worldwide over the past year. This trend is driven by underfunded cybersecurity budgets and the sector’s extremely low tolerance for service disruption.

While the most publicized local incident was the data breach at the Barbados Revenue Authority (disclosed on October 1, 2024), the most serious breach to date occurred at the Queen Elizabeth Hospital in December 2022. That attack disrupted critical IT systems and caused significant delays in medical services.

Beyond the “Hacker” Narrative

While data breaches are often viewed primarily as cybersecurity failures, that perspective tells only a fraction of the story. Under any data protection law, a breach is not defined solely by a malicious system compromise. It encompasses any unauthorized access, disclosure, or loss of personal data—whether caused by external attackers, internal mishandling, or simple human error.

This distinction is vital because it shifts responsibility from the IT department alone to the entire organization. A breach occurs when an employee sends a patient file to the wrong email address or fails to properly dispose of outdated forms. Each represents a failure in data protection, even if no hacker is involved.

I remember a personal situation during the COVID-19 period when a family member had to collect medical records. When they arrived, a security guard stopped them and asked them to wait outside while he retrieved the files. At the time, this might have seemed trivial, but it was a breach of proper data handling. The guard was not authorized to manage sensitive medical information, and the front-desk clerk who handed the files to him acted outside the appropriate boundaries of access control.

The Path Forward for Barbados

The composition of the October seminar reflected a deliberate balance between cybersecurity practitioners and data governance specialists. The event featured a diverse lineup of speakers, including:

• Jabarry Garnes, a digital governance specialist;
• Captain Donovan Smith, Head of the National Cybersecurity Unit;
• Ms. Lisa Greaves, the Data Commissioner.

These local experts are a strong reminder that Barbados has the homegrown talent needed to shape its own path toward responsible digital transformation.

As the healthcare sector continues to evolve, the intersection of privacy and cybersecurity will define how public trust is maintained. The seminar signaled that Barbados is moving beyond general awareness toward implementation. Protecting sensitive data requires more than technical safeguards; it demands leadership commitment and a culture that values confidentiality as much as clinical care.

My takeaway from this event is that the healthcare sector is finally giving weight to its responsibilities under the Data Protection Act. I hope this seminar foreshadows a greater evolution toward meaningful enforcement and focused attention on data governance.

The conversation on October 22nd should not end there. It should mark the beginning of a structured national approach to privacy—one that combines strong governance, modern cybersecurity, and the local expertise Barbados clearly possesses.