A USB memory stick containing personal information on patients and staff at a secure hospital near Falkirk has been found in a car park outside an Asda store in nearby Stenhousemuir. Data on the unencrypted device included names, addresses and (worse still) medical records of patients. A member of staff at the Tryst Park unit at …
The only person who should be suspended is the CEO, who still permits systems which allow unencrypted data to be removed from site.
Surely he must be the data controller and so be getting ready to write a cheque to the ICO for £500,000
Typical From Forth Valley HNS
As a Falkirk native, this is not at all surprising. The local NHS here has been dismantled to the point it no longer does anything useful. Also, with our local MP (Eric Joyce) more interested in claiming the highest expenses of any MP in the UK, nothing will be done as usual.
Flames because Guy Fawkes had the right idea...
I bet that the person suspended is the one at the bottom of the food chain. I'll also bet they wont suspend the manager/s in charge who should have had a system in place to make sure that it was difficult for the data get lost or if it did, that it was securely encrypted and backed up.
Don't these fuckwits ever learn?
The Daily Record report says there were also criminal record details on the memory stick.
I suspect that this part might also embarrass the hospital.
"The files reveal that a lack of sinks in dining areas at the unit threatens to contaminate food, spread disease and raises the "possibility of a major outbreak"."
How many times? Just how many times do these cretins need before they get a clue?
Why was it even possible to connect the USB device? Surely they disable the unnecessary ports?
There is NO NEED for ANY DATA of this kind to be put on removable media.
It should all be held in the ECM system under proper security.
If any data does need to go on to removable media, it MUST be encrypted. END OF DISCUSSION. You can even have the ECM system export using a personal key. It's not difficult.
I feel for the idiot who lost the data, but I don't totally blame them. Their bosses need taken to task and a few of them sacked. Only holding these civil morons to standards will make them see sense.
It utterly beggars belief.
Interesting. I must have missed the report on Falkirk getting robots that will go to the local supermarkets to get their masters some lunch, and carry USB sticks in their basic, metal claws.
Sounds more like an error between chair and keyboard to me.
what's that noise?
it sounds almost like the sharpening of knives and the heating of oil?
Oh! don't worry, it's only the ICO.
Nice to see....
The CEO of Checkpoint has a grasp on the situation, couldn't be that he's hoping to sell more product could it?
Government has been loosing our data since government was invented, we just have a much greater ability to loose a lot of data these days.
CESG are great at coming out with lots of wonderful standards for departments and agencies to adhere to, sadly they never hand out the budget to do it, and often the costs are prohibitive.
"The unit treats patients with severe mental health problems."
Sounds like they employ a few of them as well!
No mention of a "computer fault"?
The original reports of this spoke of NHS Forth Valley claiming a "computer fault" - not sure how that could happen, unless the stick was automatically ejected with enough force to fire it a couple of miles to Asda's car park through a conveniently open window perhaps?
Exactly my thoughts
It must have been one of those computer explosions you see in movies with bits flying everywhere. I've only ever seen this happen in real life, and it involved an A/D card which was accidentally wired to a fresh 550V generator output instead of the 30mA measuring loop it was meant to see.
Other than that, life with failing PCs has been pretty boring..
Happens all the time
I had a persistant incoming fax calling me, so I connected up a fax machine and received a 16 page medical record of an individual patient.
I faxed back a suggestion that they should check where they're sending things only to be told my number was published on an NHS website as the fax number of a local nursing home.
They also pointed out that I should inform the website and that 'It's no bloody help sending anonymous faxes'.
So the onus is on me to stop the NHS losing patient data?
Nah, I just let the faxes come in now and again, it's good reading
NHS Website errors
Data Protection Act...
Both the idiots sending the faxes, and the idiots running the NHS Website.
Actually, I know of one local GP practice which hasn't updated their own website in at least two years, and I rather doubt that any NHS website will know about the changes either.
someone could go through the effort of changing whatever details they can change, and the present the Trust with the bill, and sue through civil court for the loss.
If enough people did this, you can bet organisations would start taking data protection seriously.
"someone could go through the effort of changing whatever details they can change, and the present the Trust with the bill, and sue through civil court for the loss."
This looks like the *only* way they start taking notice. One off fines they will no doubt put in a budget increase for. This is more like slow starvation.
What's worse is with stuff like TrueCrypt available for free even *if* (and I agree mos justifications for doing this are rubbish) it had to be downloaded it could still be protected.
Makes me mad too.
So people who are already some of the most vulnerable people in society, who are are already afraid to seek help because of the stigmatization that might lead to, now they have to worry that their medical records might become public. How utterly horrid.
This lost memory stick...
Will obviously need trauma counselling - it's a big bad world oot there...
“The only way to protect data is to use mandatory encryption whenever data is moved or copied" -- Nick Lowe.
No Nick, the only way to protect data is to forbid user's to move or copy it!
Senior members of staff should be able to move and copy data; and they should only be able to do so by first encrypting it.
only last week...
i found some numpties usb drive in tescos carpark, with his CV, bank details (sort codes AND accounts numbers) all his household bills, and customer reference numbers on it, 1000's of pictures. This twat was, and i quote, "head of network security at astra zenica pharmaceuticals".
So, if youre reading this mr (dick) head of network security:
A: Thanks for the free 8 gig memory stick
B: your bank details
C: giving me the best fucking laugh in a long time.
PS, your wifes a right moose.
So glad i got out of IT as a career.
anyone called Gizmodo?
You never know...
The fact is...
...and I speak from experience with such organisations...
The people at the top don't care. They've never cared. They won't ever care.
Why would they? They're not ever held responsible for their failures (they'd be fired in a week were that true) - some dumb klutz at the bottom of the pile will be sacked for losing data he should never have had the authority or opportunity to copy in the first place. And if the CEO of this Trust was fired tomorrow, he still wouldn't give a tinker's. He'd leave on a golden handshake the rest of us could only dream of with a Lottery win, and pop up in another sinecure job before the ink was dry on his resignation.
I'm not sure how "secure" this hospital can be if it's losing medical data.
But what can you expect from an institution whose very name is steeped in outdated attitudes of discrimination?
Anyone with sense would surely have it renamed to Bellslesbian Hospital.
Absolutely no excuses
There is just no excuse at all for this. It's not even a human error, except if you count what must have been a deliberate policy decision not to implement encrypted media at the technical level.
Everyone involved in this is culpable and should be considering thier positions; The Chief Exec, the IT Director, the senior IT security managers, Internal Auditors, Risk Managers not to mention the operational management who allowed the unencrypted stick to be used (and lost)
Every single one of those people is responsible. No excuses - clear your desks and go tomorrow.
Me? Unsurprisingly I submitted my opt out request for the the NHS Central Records spine last week. Anyone who is still willing to trust that thier personal medical records will be professionally managed after reading the above is simply an idiot.
You want weird?
I once mislaid a USB stick containing detailed military plans for the defence of a Pacific island group against an attack by the Imperial Japanese Navy.
I found it again, but I sometimes wonder if certain newspapers would have even noticed giveaways such as the AWACS Zeppelin.
Idiots taken over?
Nah! They have always been in charge.
"Where have you put that lost memory stick?" "I can't remember."
"We have clear policies in place on the safe use of portable data devices."
And what are they?
What do they mean by 'safe'.
Why haven't there been at least sackings over this, yet another, breach.
In the US the person responsible for such a data breech can held responsible in addition to the hospital. depending how bad they deem it it could be a $100 fine or $25,000 fine and up to a year in jail. That tends to make numpties think.