An NHS trust has told patients that it is acting to improve its data handling practices after a rebuke from the Information Commissioner's Office (ICO) for losing a CD containing details on 1.6 million people. Chief executive of NHS Kent and Medway Ann Sutton said that information is now more secure following the implementation …
Oh so it's _old_ data? That's fine, I don't mind people knowing that I used to be a borderline psychopath on eight different drugs (plus the two for my STDs)
[Anonymous cos actually I do mind really...]
Judging by the note from the relevant parties, that shouldn't have been distributed. Apparently it was only(!) names, DOBs, GP details and NHS number, which means that unless whoever has said CD can also get hold of other details, very likely they can't do a lot with it.
Unless reception staff haven't been told basic DPA procedures and that they don't ask for details about you that won't be from the above... oh wait...
Not worth much? That's not really the point is it?
All the time the excuses keep coming the more likely the next cock-up is simply seen as another silly mistake, "Doh, oh those naughty offcie staff and their silly ways!", until they lose something of serious value.
So what if it's old and pretty much anonymised, what happens next time the dingbat who lost this stack of info, loses something that is actually worth something to someone? This pillock and his managers need to be pulled up over this, next time it could be another list of at risk kids or domestically abused spouses that goes walkabout. All they get is a strongly worded letter from the ICO and a warning to "Not be so naughty next time!", not going to ensure they think twice before burning a copy of the patient register to a DVD.
Here we go again
Why oh why do we still copy sensitive data to CD and PEN drive. Incompetance is the only reason I can think of.
no reason not to
unless it is unencrypted. Data often needs to be transferred from A -> B, encryption is there for a reason. It isnt expensive either.
make an example of an official
Once a higher up is forced to either pay a huge fine or spend time behind bars (or both) for stupid stupid stupid privacy breaches, this kind of thing will stop (or at least reduce in frequency of occurrence). Of course, I am on anti-psychotics.
According to the Guardian they are worried about people being able to hack their network. Which makes me wonder when they read the data on the CD the computer they are using is on the same network. Anyway the NHS is full of "Stakeholders" who have little knowledge of IT so its the blind leading the blind.
""While the breach was unfortunate, I would like to reassure patients that the data stored in the filing cabinet was not current - the most recent information was from 2002"
Oh, phew.. that's a relief!
"Sutton added: We have already strengthened our information governance policies, procedures and training on the basis of our internal investigation of the incident. The information commissioner's recommendations to improve them further will be implemented fully."
How many more times are we going to hear this meaningless rubbish about "learning lessons"?
Yet again the NHS has repeatedly demonstrated that it is incapable of handling sensitive data.
(AC 'cause I work for the NHS)
Time and again I've been allowed to leave NHS sites with 'failed' mirror disks from servers that have easily recoverable data, I'm trusted not to pop them back into a server and force them back online or otherwise recover data from them.
Fortunately for the trusts I visit, I don't and we operate a secure destruction policy but if there was the will...
Until the people in charge start going to prison for these things, they will continue, since any fines payable are paid for by the public purse.
I don't think this is quite the same thing is it?
Now I know assumption is the mother of all f*ck ups but I'm gonna go right ahead and assume you work for some third party service provider and that this service provider is legitimate and that they have a formal agreement with the customers they work for. I'll also assume that if you were to do anything illegitimate pertaining to those provided services you'd find yourself in a similar position to Private Manning but without the media attention, political sensitivity or legal backing from anywhere...so, good luck with that.
We threw it out
You threw it out?
Yes, we threw it out.
That's why that CD I found in the car park won't play in my car CD player. Well, on to Ebay it goes, I am sure at least 10% of the 1.6 million names on their need Viagra, penis enlargement and at the very least Prozac to calm their nerves now that their details are on the loose!
It's a good job you put MILLION in capitals.
Is this so the Daily Mail readers can understand the numbers?
Only if it also had 'possibly stolen by homeless unemployed young Romanians'
"Ooh" said the NHS executive to himself "I've got a great idea, why dont I set up a taxi fund for patients, set a direct debit up into it, tell no one else about it and then keel over with a fatal heart attack.. That'll give the auditors something to do in 3 years time... I'll call it the where's the missing million game..." *evil grin*
Or how about employing 4 people at £100 a day to sit in the cafe, because not one of the current IT "gods" had the remotest idea how to unlock the machines user policies so they could be updated with new anti virus. You guessed it, the guy who did the policies had since left.
Thats just two examples of ONE NHS trust that I worked for - let alone the "heres a list of the drugs she cant have" debacle that cost my grandmother her life. But then, you'd give a person morphine for a chest infection right?..
Three examples of just one of the many trusts in the UK.
I find the "but its old data" comment a total load of crap. People dont change birthdates, they often live in one place for most of a life time. How is that old data?
Then there's the potential for blackmail and company abuses. You were on antidepressants, you're unstable, bye bye promotion. The fact that you were on them because you were the sole survivor of a car crash that wiped out your family.. Irrelevant (the fact that people have been put on a/ds for this very reason beggars belief).
There is a way of solving this. Use a simple device with a dual function. Design a wristwatch with a damn big memory store and a usb connector. Distribute accordingly. In my entire life I have lost a watch the grand total of once. Its been done before, the Onhandpc (640kb ram, 3mhz processor, DOS, PIM and a working spreadsheet of all things) or the WristPDA that ran Palm OS 4.1. I have both and I still have them, yet I've managed to lose 2 meter long snakes while being in the same room & have spent countless hours chanting the mantra "where are my f*#king keys" and missing buses by 30 seconds as a result.
This is not a difficult problem to solve, so why are we mourning the loss of our data and doing bugger all to suggest ways of securing it?
Anti depressants don't just treat depression.
They also prescribed to treat nerve pain. Which may have been caused by a fall at work. Which goes to show how even a partial breach is dangerous.
A.C.' cos it also help when working with some people.
Genuine sympathies btw. I've been there myself.
In defence of morphine, it's not a precision weapon, and it is extremely potent and thus is not risk free.
With my own circumstances, I was actually glad the morphine did it's work; my aunt had suffered for years in crippling pain with terminal lung cancer. I suspect many other relatives of terminal patients are also glad of it's 'undesired' effects; it does at least allow the patients 'on the home straight' to pass away pain-free.
I could claim - controvertially - that in some cases the doctors and nurses will have a good idea which side of the risk equation a specific patient will be on when they administer it. When my time comes, and if I'm riddled with terminal cancer, I hope I get one of those doctors.
> In my entire life I have lost a watch the grand total of once
And I reckon I've lost at least a dozen, at least two of which are under 60 feet of water at a certain Thames water reservoir and might just get picked up next time they drain the reservoir for maintenance... Universal solutions are pretty much impossible.
Morphine is indeed collateral-tastic (apparently recent studies indicate it helps the spread of cancers ironically by increasing the proliferation of blood vessels). However a doctor being handed a list of a patients allergies, with morphine at the very top, after the nurse on the case has looked at the list and *added* additional probable problem drugs. Then the doctor over rules the nurse and injects said patient with Morphine....
She was dead within 20 minutes. From being able to walk into the hospital unaided to being dead - thats pretty effective incompetence even by NHS standards. And thats not to mention the situations I have found myself in. We need to take bloods from your wrist, I swear there would have been less swelling and damage if the person had taken the blood with a shovel. As it was I collapsed in the middle of the ward and ended up on oxygen. Not good.
same old same old
oh well, at least its not sensitive data !
Someone here must be a reseller for DLP - get in there quick whilst the wallet is open !!
The only lessons learnt ...
... are that if you do something wrong, nothing happens in the uncivil service.
Unless the "lessons learnt" are: "You make a serious mistake with people's personal information = you get fired" then there will be no reason for these complete incompetent fuckwits to change their behaviour.
They still need to think about replacing floppy discs?! What the f~ck?
At least with floppy disks they are limited to only losing a small amount of data??
that one day, maybe not tomorrow but one day, the Manager of the department who shed the data will get the boot in a 'do not pass go, do not collect 2 years of salary' kind of way. If there is not a personal impact then why the hell should they care.
OK, yes I can see exactly why they SHOULD care, but you know what I mean.
I almost couldn't be bothered to read the article. All I wondered was: how is this news? It's like reporting dawn! Every morning.
Will they ever learn?!
What worries me is...
...if they did this (and lots of people do) without realising it was wrong, how many other times does shit like this happen and no-one even pays attention to it?
What happened to the new regs where the ICO office gets a set of stocks for public floggings?
Least of their worries
To be honest the people I know in that area are less concerned about their local NHS trust losing their name and DOB than they are about the slim chances of surviving a stay in any of their hospitals.
Obviously, not being a health professional one would be hard pressed to claim there was a culture of clinical negligence going on, but there is unquestionably a public perception of a culture of clinical negligence that is fuelled by every new horror story from patients or the families of patients...
That one day
they will employ staff who care about data security
encryption will be the norm
they will 'learn from this event'
And that goes for other Government departments
But I won't hold my breath.
> they will employ staff who care about data security
Speaking personally I would much rather they employed staff who cared about getting me well.
Sacking people or whatever will achieve nothing because no-one sets out to get things wrong. veryone knows they'll get badly hurt if they have a car accident but we still have a bloody great death toll in avoidable accidents every year.
The only way to stop data getting off the system is to make it impossible for data to get of the system and accept a soddin' great increase in costs and reduction in productivity...
Why would I need a title in a reply to a comment?
@JimC - the ones that have access to 1.6 million sets of details on a CD aren't the ones on the front line taking blood, wiping arses, delivering drugs or checking temperatures. The main fuckwits are the information workers that *think* they're better than the frontline staff and don't turn up for their data protection training because they're too important.
AC cos I changed from the private sector to the NHS two years ago - I'm still shocked at the everyday basic incompetance I see everywhere I look. I had to stop pointing out the idiot flaws in everything that came to my attention as it was '... too negative and confrontational ....'
"This article was originally published at Guardian Professional. Join the Guardian Healthcare Network to receive regular emails on NHS innovation."
Of course a work flow will stop all staff copying and pasting files to cd and floppy disc drive
"names, addresses, dates of birth, NHS numbers and GP details" since 2002. name, DOB and NHS number not only will not change, but are also uniquely identifiable and therefore easy to put to use for fraud / ID stealing. address + GP details.... sure some people will have changed them in 10 years but I would bet at least half the 1.6 million people still had the same address as in 2002.
"after a rebuke" - 1.6 million records lost and all they get is a rebuke, saying that the ICO is merely toothless would be a gross understatement. Number of people fired for gross incompetence - at a guess I'd say approximately zero
"...fraud/ ID stealing..."
There's no need to worry about that any more since the banks stole all our money.
Or have you forgotten about that already?
To begin with all personnel (and their bosses) could be charged with 1.6 MILLION counts of id-theft (just the way RIAA does it, oh yeah!).
Once begun, the policy makers of said instituions can also be charged for all damages resulting from the negligence (e.g. : government -securely this time- reissues new "official use" birthdates for all people outed for all banking/online gaming/etc use, etc etc)
A fertile imagination for constructive use of mischief is all we need.