back to article London hospital loses 20,000 unencrypted patient files

Providing proof, if it were needed, that every single piece of personal data in the UK has now been lost - probably several times over, by multiple corporations and government offices - news has just broken of another theft of laptops crammed with easily accessed info. This time the there-but-for-the-grace-of-god bonehead users …

COMMENTS

This topic is closed for new posts.
  1. Steven Raith
    Thumb Down

    "reminding staff not to store..."

    "None the less we owe it to our patients to protect their personal information and we have reminded our staff not to store this kind of data on laptops in the future"

    Hmm. I dare say if you start sacking them for confidentiality breaches [hippocratic oath extends to the reception staff and management too, not just the docors and surgeons IMHO] then that might make them sit up and take notice and prevent this sort of thing happening again, perhaps?

    Steven R

  2. The Mole
    Go

    ".. and we have reminded our staff not to store this kind of data on laptops in the future."

    Instead they will use desktops, as we all know that those can't be stolen or anything, can they Blears?

  3. Webster Phreaky
    Jobs Horns

    Someone check the bedpans!

    Wanna bet that this hospital never "loses" patient billings.

    Considering there must have been a security hole and Apple OS X and Safari has more holes that swiss cheese, bet they have an Xserver.

  4. KazR
    Unhappy

    Come on lets do this properly

    Come on!!!!!!!! Let's do this right - let's get ID cards implemented so that everyone can have their identity 'shared'.

    Wouldn't it be great to nip down your local dodgy boozer, 'ave a word wiv the shady bloke in the corner:

    You: Now then mate, what have you got for me?

    Bloke: Well, I can do ya a Brown for a ton, we have a special on Darlings this week, £80.

    You: Cool, I'll take a Darling and a Brown for the missus.

    Bloke: Done.

    And courtesy of your government you too can say: "Tonight Michael I'm going to be....!"

    Great eh?

    We're all shagged.

  5. Andy Mabbett

    And another one...

    http://news.bbc.co.uk/1/hi/england/west_midlands/7461607.stm

    "The health records of nearly 11,000 patients are on a laptop stolen from the Wolverhampton home of a GP. The information was not encrypted to make it difficult to access, as health guidelines say it should be. But a practice spokesman said the information was protected with a complex password system which would be difficult to crack."

  6. Miguel
    Stop

    Paradox?

    However, hospital staff were keen to stress that the laptops were "password protected".

    “We believe the data will almost certainly be wiped by the thief so he can get a quick sale"

    And how might your average thief, were he so gracious to wipe everything before trading for a tenner bag, intend on wiping the data if the laptops are password protected.

    I wish people would stop treating us looks fools. Even more so, however, I wish people would stop letting them get away with it.

    Appalling.

  7. Anonymous Coward
    Coat

    Shock horror

    "However, hospital staff were keen to stress that the laptops were "password protected". Which should stymie anyone incapable of booting them up using an alternative operating system."

    Oh so tell em how to access the data! D'oh!

    The only surprise in this story is the fact that the laptops were locked away!

    In my experience, some of the NHS trusts are VERY lax in the security of data.

    Take for example; A "Storage Room" on the ground floor of a building, directly in the line of sight from the main entrance, door open, computer equipment on display for any scally to nab.

    Or how about this. Administration offices sharing a building with another company and doors to Comms rooms, again full of new and old kit, left unlocked for anyone to gain access to!

    Mines the one that says "Ex NHS engineer" on the back

  8. Stu
    IT Angle

    Password protected

    Thankfully they were password protected to stop people booting them.... because nobody can take the disks out of the machines and mount them on another and simply read the files... "Chief Executive David Astley" couldn't anticipate that either... f*cktards!

  9. Tony W

    That;'s not security

    Ordinary filing cabinets and office drawers can be broken into with a screwdriver in about 5 seconds. That's not even proof against the casual tea-leaf, let alone a professional. It must be impossible to make data completely safe but they could at least try.

  10. Joel
    Coat

    @Webster

    Well, as they were physical machines that got stolen, you can't really blame Safari, unless it was one with porters, tents and bwana's toting elephant guns....

  11. The Power Of Greyskull

    Surely they mean "hypocritical oath"...

    ... when they say "don't store patient data on laptops"?

  12. Mike Crawshaw
    Joke

    Going by Recent Legislation....

    Our best bet to get them to stop is to get the *(look away now if easily offended)* Daily Mail *(sorry...)* to mount a campaign about it... TIHNK OF TEH CHILDERN!!!

    Hell, it worked for the 42 days, extreme porn...

    (Joke only because that's what IT security is to these people)

  13. Ron Eve
    Thumb Down

    @ Webster Phreaky

    WTF has your second para got to do with the article?

    Maybe you need a bigger butt plug....

  14. Ron Eve
    Paris Hilton

    Breathtaking

    "We could not anticipate a determined thief who was prepared to force open a filing cabinet and locked drawers," said Chief Executive David Astley

    Simply and quite utterly breathtaking... This man should immediately be taken outside and pelted with his own merde...

    Paris as she wouldn't have to be forced open anyway...

  15. Anonymous Coward
    Unhappy

    The really sad thing?

    It's becoming so de-riguer to simply admit to having lost personal data now, that everyone and their dog is past caring anymore.

  16. Adam Foxton

    Who'd deliberately force open a filing cabinet

    just to get a medical records laptop?

    Seriously, government records you can understand. But medical records? Whoop-de-doo, you know who's got a bad heart and a few more details on their home address etc. There are easier ways of defrauding and ID-tefting people.

    Then again, if they didn't lock the filing cabinet...

  17. James O'Shea
    Jobs Horns

    @Joel

    He's _Webster_. He blames _everything_, up to and including the heat death of the universe, on Apple and Apple products. It's all Steve Jobs' fault, don't you know...

  18. Darren B
    Coat

    Filing cabinets for their purpose

    To store data records, what is the problem here?

    If they were full of paper then they could still have been stolen, the obvious difference is it would have taken a lorry and 4 blokes rather than a man and a holdall on a push bike.

  19. Tony
    Flame

    Could you make this up?

    "We could not anticipate a determined thief who was prepared to force open a filing cabinet and locked drawers"

    I have to ask if these spokespeople actually think about what they are going to say before they open their mouths.

    I wish that I could say it is funny - but even my (very broad) sense of humour is starting to fail me.

    I note that there is an amendment to the Criminal Justice and Immigration Act due to become law later this year that will make it a serious offence for anyone who "intentionally or recklessly discloses information or repeatedly and negligently allows exposure of personal information". (infosecurity May 2008)

    I wonder if this will apply to the government or just to the poor schmuck that they set up to take the fall?

    Perhaps its about time we brought back the (old) second verse of the National Anthem?

    "Confound their politics

    Frustrate their knavish tricks

    On thee our hopes we fix

    God Save Us All"

    Icon: Where's Guido when you need him?

  20. Les Matthew
    Thumb Up

    Re: Password protected

    "because nobody can take the disks out of the machines and mount them on another and simply read the files..."

    No need to do all that.

    http://home.eunet.no/~pnordahl/ntpasswd/

    Boot up with the floppy and just reset them.

  21. Joel Mansford

    ID Cards 'partner'

    So out of the organisations that are to have access to the ID Card database are there any that haven't 'lost' data recently?

  22. Ash
    Thumb Down

    @Steven Raith

    Make people CULPABLE for the losses they cause?

    PREPOSTEROUS!

    This is the United Kingdom of Unabated Apathy and Great Molly-coddling.

  23. RW
    Flame

    Not breathtaking; just plain ol' lame

    "We could not anticipate a determined thief who was prepared to force open a filing cabinet and locked drawers," said Chief Executive David Astley

    No, you twit on wheels, you certainly *could* have but you didn 't. Have you never heard of "worst case scenario planning"?

    Betcha he's another NuLabour appointee who's seriously underqualified, seriously overpaid, gets big bonuses for doing 75% of what he's supposed to do, politically correct, and as an appointee of NL untouchable, for to fire him would be to admit a mistake was made and NL *never* makes mistakes, do they?

    After all, if they admit a small mistake such as appointing this dude, then by implication such grand schemes as the ID card system might also be mistakes, no?

    Sheesh! Where do these people come from?

    [Answer: business schools.]

  24. Steve Davis
    Go

    Steve

    Having just been to a London hospital today, this does not surprise me. Most "data" consists of photocopied forms filled out with handwritten notes that are passed from department to department by use of foot, in-trays and luck. It's like going back 30 years in time.

    However, to hack in to that system would not be easy... Nobody knows where anything is!

  25. Anonymous Coward
    Anonymous Coward

    Whilst this is breathtaking stupid...

    ... they are at least ahead of the game as far as the rest of the governent and civil service is concerned. They have managed to put them in a locked draw, this is more secure than sticking them in the post or leaving them on a train.

    It is clear though that the entire civil service should box up their computers and send them back. They are just not bright enough to be trusted with them, or pen and paper for that matter.

  26. Anonymous Coward
    Anonymous Coward

    WTF???

    "We could not anticipate a determined thief who was prepared to force open a filing cabinet and locked drawers," said Chief Executive David Astley.

    OMG! Breaking news from London - locks don't stop thieves!

  27. Joe

    @ Webster

    That was a tenuous link, even for you! Let's face it, it's the NHS, it's probably not Apple gear.

  28. Max Lock
    Pirate

    Its another Joke right ?

    Trust spokespersons told the Reg that the data had only been placed on the laptops due to a "temporary problem" with the hospital's network, which has since been rectified.

    MAX - Those temporary network problems sure can escalate !

    “We believe the data will almost certainly be wiped by the thief so he can get a quick sale," speculated Astley.

    MAX - I would imagine that the thief is less inclined to wipe anything other than his/her fingerprints?

    "Nonetheless we owe it to our patients to protect their personal information and we have reminded our staff not to store this kind of data on laptops in the future. We have also set up a helpline for patients to ring for further information.”

    MAX - yea, and to abide by the Data Protection Act in the first place. there are 2 crimes here.

    The machines' drives were not encrypted. However, hospital staff were keen to stress that the laptops were "password protected".

    MAX - yea, thats gonna slow them down alright. Order a pitza, by the time it arrives they be in.

    "We could not anticipate a determined thief who was prepared to force open a filing cabinet and locked drawers," said Chief Executive David Astley.

    MAX - Wow the determination of it all. Call me old fashioned, but thieves have always been determined, surely all of this was caught on internal security camera. Probably not due to the network problem?

  29. Anonymous Coward
    Paris Hilton

    NHS & Security

    Two words that shouldn't be used in the same sentance.

    A very good friend of mine worked at one of the Local NHS Trusts. By his own words he basically worked with a bunch of fucktards. The system is a shambles, people will not rock the boat as it may affect their automatic promotions. Promotions are not given for working hard and doing a good job, no, promotions were given purely on a who's turn is it? Basis.

    This particular trust brought in a Security Consultant from the local Police Force to sort out the mess that was security. He duly did his job and for the best part of six months tried his best to bring it all into line. Until he pointed out to the Financial Director one day that he couldn't use his laptop at home as it wouldn't be protected by the Trusts Firewall. To which said Director pulled the "I can do what I like I'm the Director of Finance card", a spat ensued and the Director was told that Virus's and Trojans wouldn't give a fuck who he was.

    The guy was eventually moved sideways into cushy number and told to keep quiet and given more money. They couldn't sack him as he was doing his job properly.

    These people wouldn't last five minutes in the real world.

    Paris cos she'll go down quicker than a security consultant in the NHS.

  30. Tomothy Toemouse
    Boffin

    Knoppix on a USB stick

    says it all. I have Knoppix, found out how to get it to boot off a USB stick on the web. I could boot all of those knocked off laptops in about (realistically depending on if they were any good) 2 minutes or so and copy the data to something else, say a DVD. Then I could go and lose them on the train or something. Every sod else seems to be...

  31. Steven Raith
    Happy

    @ash

    Ah, yes, sorry, my mistake!

    I'm half looking at moving away from London and crashing with my bro in Scarborough - and there was a field engineer job going at the local Trust.

    This has made me think that putting up with the two hours commute each way from Deepest Herts to south of The River is favourable to working with a bunch of dribbling fucktards on my bros doorstop...I'd end up quitting in disgust, most likely.

    Steven R

  32. Rich

    So when they had paper records

    They were in an underground vault with armed guards? I'd reckon not - desk drawers and filing cabinets, if that?

  33. Bruce Sinton
    IT Angle

    Thanks for the Tips

    When I get into the business of stealing laptops,I will know how to access the information on the disks, thanks to the information given out on these posts.

    Must remember not to shed any hair or leave fibers,footprints etc at the scene .

    I watch Crime shows and now I can get the knowhow on computer crime right here on The Register.

  34. Anonymous Coward
    Unhappy

    @Steve Raith

    "Hmm. I dare say if you start sacking them for confidentiality breaches [hippocratic oath extends to the reception staff and management too, not just the docors and surgeons IMHO] "

    Sorry, but it doesn't, and never did. And now doctors outside ER/Gray's Anatomy don't take the Hippocratic oath anyway. I didn't, and my students don't.

    But Trusts and ALL their staff DO have a professional duty of care, which was probably not exercised here, and legal duties under the DPA.

    They also have a duty not to be unthinking morons (a rule sadly broken all too frequently) who didn't consider the possibility that thieves might know how to break desk locks.

    I'm sure these laptops were being used to provide what's called "outreach clinics" - enabling the staff to have access to patient information in non-Trust premises. The drawback is providing secure storage - I'm sure the bean-counters got a proposal "8 laptops at 600 quid each means we can hit one of our targets from access for less than five grand" but when told what a proper secure storage cupboard would be just said "The filing cabinets have locks, don't they? And a boot password is as good as encrypting the disk, isn't it?"

  35. Mike Crawshaw
    Pirate

    @ Rich, Paper Records, Steven R

    "So when they had paper records they were in an underground vault with armed guards?"

    No, but I'd reckon it was probably a little harder to lift patient records on 20,000 people when they were on paper than just snoiking a laptop!

    @Steven "Wanting to work for the NHS" Raith:

    Dude, don't do it. Seriously. My gf works at the NHS (clinical staff), and the horror stories I could tell.... but I'm pretty sure if I named the PCT or gave any examples of their sheer craptitude, El Moderatrix would stamp all over me*! "Dribbling Fucktards" is an apt description for their more competent staff!

    (*Hmmm. So, there was this one time....)

    (Pirates cos anyone with any data seems to be)

  36. Anonymous Coward
    Paris Hilton

    Not surprised

    I did some agency work temping in the Service Delivery (admin) department of my local hospital. All the domain usernames and passwords for all the admin staff were written on a whiteboard in this unlocked office.

    PH - Because she now knows to keep data secure

  37. Ascylto

    Chief Executard

    Further proof that when politicians and business people tell us we have to pay for the best they are lying through their enamel cappings ...Chief Executive David Astley (probably on a six-figure salary) shows what a ouanquerre he is.

    Imagine ... thieves breaking into locked cabinets!

    What next?

  38. This post has been deleted by its author

  39. Anonymous Coward
    Flame

    RAH! RAH! RAH! RAH! SISS BOOM BAH!

    A pause, for a moment, for the braying to subside. Judging by Reg responses England is clearly so chock full and bursting at the seams with infallible IT workers that it is simply amazing that anything goes wrong anywhere at all.

    The error in judgment here was simply that someone equated the security of paper records in a filing cabinet with (possibly the same) records on a notebook and stored them accordingly. They neglected the status of portable electronics as highly desirable, easily convertible, targets of theft and that was wrong. In the mental arithmetic of Risk, they indirectly ramped "Likelihood" up a handful of notches without mitigation. Fix it. Move on

    Now unless those records were part of a trial of a lucrative patentable treatment, it is unlikely that they were the target of the theft. Similarly it is unlikely that the thieves will take the additional personal risk to try and use the information for personal gain. The gain will be small, and the risk will be high - especially considering the vast number of relatively low (or zero) risk ways to acquire volumes of personal information. Identity theft is fueled by the rapid conversion of the billowing cloud of information we trail behind us - electronically or on paper - into profit. Blagging a hospital is poisonous to the process and, lets face it, completely unnecessary. The only thing that data will do is tie an otherwise convertible asset to criminal act. Its probable lifetime? Slightly shorter than the serial number on the bottom of the case.

    Every day we ask those who provide services to us - doctors, hospitals, government agencies - to be more flexible and respond more rapidly to our changing needs and, more often than not, to do it for less money.

    Rigid security systems - the kind we come to expect for national security and high value commercial information - are not designed for the sort of situation where personal data must be simultaneously secure, and at the fingertips of the part-time worker at the admissions counter, and in the hands of the person auditing the health program, and in the hands of the clinician. These requirements demand a properly risk managed but pragmatic approach and with pragmatism (sprinkled liberally with inadequate resourcing) comes the opportunity for errors in judgment. Standardised and reviewed processes help minimise these errors but process always follows need and need moves like a scared rabbit. Errors will occur. Fix them. Move on.

    Interestingly, for all the infallible experts here, the concepts of risk management and pragmatism seem pretty thin on the ground. I am sure there are quite a few here who could explain how <INSERT FOOTBALL TEAM HERE> is being mismanaged. <INSERT MANAGER NAME HERE> needs to be given the boot!

    I wholeheartedly agree.

  40. Anonymous Coward
    Alert

    associated

    I work for a company that assists the NHS with technology 'solutions' *AHEM* So I handle laptops (for training purposes) provided from local trusts and re-fit software and databases to be in line with current live systems.

    Now we, are very careful with the data with which we're charged, but when I get these laptops, they rarely have passwords (even though we send them off secured, the cretins in NHS just remove them, and start dilligently filling said DBs with sensitive data) and even if they do have them, they're so highly enigmatic, they would require a thief to actually use their though processes to try the name of the city said laptop has been lifted from.

    What i'm trying to say is that IT contractors for the NHS do the upmost to ensure security, but the good old 'stuck in a techno-rutt' NHS just seem to think that these policies just plain don't apply to them.

    Anyway, i'm off to fit a new lock to my drawers...

  41. Anonymous Coward
    Anonymous Coward

    As a member of NHS IT staff

    I can say that attempting to implement any security measure will quickly be stomped on by the first Consultant (Medical, not IT) whom the change slightly inconveniences.

    "I have to put my password in *again* if I leave my PC unattended for more than 10 minutes? I'm a very busy man, doncherknow?!"

    Anonymous, for obvious reasons

  42. Wil Rockall
    Paris Hilton

    Smart Cards

    Why were the PC protected by passwords. According to the Information Governance Toolkit (Question 303 IGT watchers) all trusts have, as part of their obligation as a Registration Authority, to have "established business processes that ensure all staff smartcards and access profiles issued are appropriate".

    Passwords should not be the authenitcation method used. Perhaps as well as breaching the Data Protection Act the executives of the trust have made a false declaration in their IGT return and so could be found guilty of perjury?

    PH because she protects her assets better.

  43. Max Lock
    Thumb Up

    Mountain out of a mole hill ?

    No it isn't. A lost Laptop can not be compared to losing a hardcopy file, its like losing the entire "Filing Cabinet", in fact 20 cabinets. Think about it!

    Though NHS Staff need to be better educated on data security to be able to comply with the Data Protection Act, I believe that the IT Departments are really at fault. The IT department supply the laptops to the staff and they should have secured the laptops using Safeboot or any other encrypted software to ensure the data could not be viewed.

    Would you be so forgiving, if a shop in the high street had left your credit card information for anyone to look at and use. When it started costing you money I fear not, then data protection would be very imfortant to you. If you care about protecting one form of data, then you have to care about all forms, no matter how trivial to you.

    Data is protected for a reason, Would you like poeple to know if ?

    1: You had an abortion when you were young

    2: You had/have a drink/drugs problem

    3: You have aids.

    4: You have mental problems.

    5: You have cancer, HIV.

    6: You have had an STD

    7: Your children are sexually active.

    This is private information and is "TRUSTED" to the poeple who are there to help you. If the trust is not respected, the the patient may feel he/she does not want to disclose vitally important information to their Consultants/GPs/Nurses etc.

    Data Security has to start with a well trained and educated ICT Department.

  44. Anonymous Coward
    Anonymous Coward

    Sack them

    Copying confidential data = the bullet. Likewise with the Wolverhampton Wanker.

This topic is closed for new posts.

Other stories you might like