A Hull man has been given a suspended sentence for looking at hundreds of women's medical records. Dale Trever, 22, was working for Hull Primary Care Trust as a "care data quality facilitator" when he accessed medical records of 413 female patients. The court was told he accessed records 597 times. He started his snooping when …
"Trever pleaded guilty to seven counts of breaking the Computer Misuse Act and said he'd acted out of idle curiousity."
Oh look, it turns out curiosity IS a crime after all.
I bet this isn't rare
This sort of thing must go on all the time, not just in medical areas. I bet people in banks check out their mates mortgages, police records, online store shopping histories etc..
I can't speak from the point of view of Police or Online Shopping, but Banks (In the EU, at least) are very sensitive to this sort of thing. It may even now be a regulatory requirement, but there was a wake-up call when someone at Vodafone downloaded all of David Beckham's text messages and sold them to some tabloid.
The bank that I work at has systems that detect if people's accounts are looked at and no work is actually carried out.
who does what with who's medical record has to be logged
He didn't have to look at very many records he had no reason to view before the logs left behind of his illegal access caught up with him. And of course validity of these logs all depends upon cutbacks not cheapening systems to the point where it becomes feasible and routine for NHS person A to authenticate using NHS person B's credentials.
Re: I bet this isn't rare
When I was doing desktop support at a BT call centre in Dundee, some customer service droid checked out Thomas Hamilton's account after the Dunblane Massacre. Later that day he was marched off the office floor (and then out of the building some time afterwards) by three spooky-looking suits assisted by two of her majesty's finest. Rumour had it that the suits actually flew up from Oswestry.
It was also routine for the droids to receive calls from security goons immediately after having legitimately viewed/amended a high profile person's account. Your average BT account holder scum seemed to be fair game though.
Those and such as those, I suppose.
Wasn't this expected, predicted?
"The court was told he accessed records 597 times..........Trever pleaded guilty to seven counts of breaking the Computer Misuse Act"
Why wasn't this 579 counts of breaking the Act? Why did it take an on-the-ball' practice manager to 'suspect' this, instead of in-built warning systems to detect it?
Have the people who medical records have been browsed my this sad idiot been told that their data privacy has been breached and been advised of steps they can take to bring action against the idiot or the NHS? I doubt it. The only thing we can be sure of is that any Government organisation will totally foul-up any data protection obligations they have.
"Why did it take an on-the-ball' practice manager to 'suspect' this, instead of in-built warning systems to detect it?"
Because it was built by the company that tendered the cheapest quote, meaning that to meet the budget and deadlines, as well as to speed up the system so it only took 2 minutes to login to, the security module was reduced to a user name and password stored in plane text in the system database.
The database was of course a MSSQL server with the default admin password open to anyone with a PC on the 'trusted' medical network.
None of my records should be on that system, should being the hopeful word.
OH NOES TEH VICMISM!
Lesson learned: next time you're rejected by a woman, just punch her in the teeth. You'll get far less than a 6 month jail term.
learn to accept a 'no, thanks' like a man?
Irony detector malfunction in aisle 3
Makes you want to go back to paper filing cabinets.
Or you could convince the Bastard Operatrix to perform a quick DELETE FROM LOG, right?
Paper would stop this how? It may limit it, but it'll certainly be easier for any nosey employee of a practice to look at the records.
Also - Paper records = no DR, I don't want my medical history accidentally destroyed.
If you're using a mickey-mouse RDBMS.
Real ones have areas that not even the DBA can remove without big fingerprints all over it.
In case there is anyone who hasn't opted out, to support their work, and for news about the NHS databases:
6 months eh?
Same sentence as the policeman got for assaulting a woman in custody.
It seems we have a sense of proportion failure somewhere, and no, I'm not saying which is right, if any, just that they don't equate in my view.
the sentence was suspended - he'll only do time if he does something stupid in the next 2 years.
What, like assault someone, or read some records?
That is all
At least the Police have a policy in place
They randomly pick PNC's checks and ask you to justify your reasons for requesting it. I gave a fixed penalty to a car on my street (it was blocking the road) and needed a PNC check to see if I could locate the owner first. Within a day I had a letter asking to prove this was legitimate check.
Having had 1st hand experience on the PNC side of that, they do nothing about it even if you can't prove it.
Most stations just use the PNC terminals with the user that logged in at the begining of the shift taking the rap for all the searches done.
The offence should be committed when someone *acts on* information they were not supposed to have known (including passing it on to a third party), not when they merely discover it. At least credit people with a bit of discretion, FCOL.
I guess they did
Which is why he is not currently in prison.
Not to sane people it doesn't
"The offence should be committed when someone *acts on* information they were not supposed to have known"
No, the offence is clearly defined (why do I have to keep repeating this every time a CMA story comes along) by S1 of the CMA. You don't get to break the law and then say "no harm, no foul", it doesn't - and shouldn't - work like that.
For the hard of thinking, the offence was not "looking at the data", but breaching the CMA in getting access to the data to look at in the first place, m'kay ?
I khow what the law says
I know what the law says, I just think it's a bad law.
If someone finds out something that wasn't specifically volunteered to them, but manages to keep quiet about it anyway, then I really don't see the harm in that.
Of course, knowing something that you weren't supposed to know can sometimes create interesting situations (such as knowing that the gas fire in the holiday cottage where you have been sleeping with your mistress has been chuffing out CO, but not being able to warn your wife about it before she takes the kids there for a surprise holiday for fear of your affair being discovered) but they are the exception, and should be dealt with on a case-by-case basis.
It's not so much that other people know things about you that you'd rather they didn't, as that you know they know those things.
So now theres proof that you can whip through those huge databases that UK poli's have been saying are "Absolutely Secure", collect whatever information you want, and then just walk off the charge by saying you were curious.
Six months suspended is a joke!
NHS Summary Care 'Opt Out' form
NHS Summary Care 'Opt Out' form;
Good job I don't live in Hull
My NHS records are completely secure that nice minister said so.
Another reason why ...
centralised health records are dangerous. Centralised anything in fact, and amalgamated multiple databases are even worse.
Patients can easily be given a memory fob on which all their medical data is stored and handed over for perusal or updating by a doctor. Prescriptions could also be entered and the chemist/pharmacist would have limited read/write rights so no no duplicate prescriptions can be issued without authority.
It will stop double-doctoring, too, no dongle - no service except in emergency.
I attended a hospital in Toronto for around 7 months and my electronic record, including X-rays was around 5 megabytes - which was copied, at my request, to my dongle.
They let you plug your USB dongle into a machine with access to patients'/'s medical data???
Haven't you heard about these new fangled tech things called viruses? You wouldn't want to expose your doctor to those - they don't have a vaccine for that kind yet! Quick! Call the CDC!
Mine's the one with the correctly setup hardware/software policies. Saved to a USB dongle of course.
This is what happens
When you restrict people's internet access at lunchtimes. They have nothing better to do, and can't look on spacebook, so they idly flick through random women's medical records. If they'd have let him browse porn at luncthime, there'd be no problem.
For Ten Points and A Gold Star
Can anyone explain what a "care data quality facilitator" means?
We used to call them
Data Entry Monkeys.
Couldn't resist ... Coat already on & leaving now....
I was "let go" from a job for looking up a email-friend-but-also-customer's phone number on the computer, and she complained ..... 22 years ago, and we got married soon after..!
Slightly more recently ... somewhere in a different ex-employers email archives might yet still be several complete copies of GP medical systems that I worked on, doing a data-conversion between systems. Wonder if the DPO should ask them..
Meh, happens all the time everywhere someone has access to personal records. You're naive if you think otherwise... And it always has, even back in the good old days of folders and filing cabinets.
...mentioning the (bloody awful) summary care records system here. And it does, indeed, have its issues and I must get around to opting out of it, however this doesn't necessarily mean that he used the summary cockup system to get the info. It could have come from whichever local patient management system was being used.
Or did the article mention that he used the SPINE/whatever they're calling it this week to get the info? (Apologies to all if it did, but it's well on the way to beer o' clock here and I'm tired...)
An ex-employee of ours became "ex "
after it was discovered he was reading world+dog email on the corporate system.
Considering it was a local authority, it was a lot of emails he had access to.
Didn't think it warranted sacking him, im sure any IT techie will admit to having a snoop at some point.
Perk of the job sometimes....
Sorry, no. Not even in jest.
I am a professional. In 20 years of dealing with email systems, personnel databases, payroll systems, whatever, I have *never* looked at any data without first seeking authorisation and having a damn good reason for doing so.
Anyone who thinks the data is there for their personal amusement should on no account be allowed access to any systems, of any sort.
NHS dont care about your data
A hospital near me closed in 1985 and stood derilict until 2006, after exploring it thoroughly (boys will be boys) we found a room filled with filing cabinets containing people's medical records. As far as I know they remained there until the day the building was razed.
It doesn't matter how your data is stored, if the organisation storing it isn't particularly interested in keeping it safe, then it won't be safe.
slap on the wrist then
"six months, suspended for two years" perhaps my legal parlance is not sufficient here but that sounds like: don't be a naughty boy for two years or we might lock you up.
nice to see the courts hold our private data to a high regard.