what about the FDA?
Never mind the information commissioner, what about the FDA? I'm pretty certain that all computer systems used by pharma companies need to be validated and documented to an FDA standard
The medical testing arm of pharmaceutical giant Roche has exposed the personal and medical details of UK customers on its website. The firm has admitted the security breach but has not explained how it happened. Customers who had registered their details with Roche Diagnostics received the first edition of an email newsletter …
The problem was that they used a recycled link in an email that went to a specific user's information, with the ability to update the data on that page. At most, anyone who clicked the link was able to see the details of only the last person to enter data, not everyone's on the email list. It isn't as big of a breech as this article makes it out to be.
"Not as bad as it sounds" is like saying you are "just a little bit pregnant". This is a binary issue. The data leaked or it did not leak. Period.
The data leaked.
The data that leaked included medical details.
This is contrary to the Data Protection Act 1998.
This "not as bad as it sounds" comment sounds like an attempt to whitewash this. Roche was trusted with that data. It proved itself to be untrustworthy by its actions.
FDA do have some jurisdiction in the uk, in that they can audit Pharma sites. However the UK has an equivalent called the MHRA (Medicines and Health Regulatory Agency) which will have the power to look in to this. Regardless the websystem will have probably been assessed and not requiring validation and therefore wont have been, hence the leak. I would guess that this will be changed ...