back to article Thousands of NHS staff details nicked amid IT contractor server hack

The personal information of thousands of medical staff in Wales, UK, were stolen after an IT contractor's server was hacked. Details including names, dates of birth, national insurance numbers and radiation doses of radiography staff were stolen by hackers accessing the UK-based systems of global dosimetry company Landauer. It …

kain preacher
Silver badge

NHS loses data. now were have I heard this before ?

Tom 7
Silver badge

Contractor looses data - not NHS directly

Its that privatisation thingy that's causing the problem.

fruitoftheloon
Stop

@Kain preacher

Kain,

commentard doesn't read the article.

We've heard this before...

Anonymous Coward
Anonymous Coward

News flash even the least-private NHS trusts/boards/CCGs have to work with a lot of private companies and in this case it was the sub contractor of one of those companies (IT supplier to the datacentre) which was responsible for the breach, which was more than likely an automated malware attack using a well known attack vector which WOULD have been blocked if the contractor hadn't disabled malware protection on the server.

Blotto
FAIL

Re: @Kain preacher

@fruitoftheloon

its up to the trust to ensure their service supplier adheres to all data security standards as if the trust where directly managing the service themselves. They failed to ensure their data was in safe hands. the buck stops at the trust, they can blame whom they want but it was their decision to entrust data in their control with a third party, its up to them to ensure their third party is doing the job properly.

the likely hood is the trust have no clue as to whats involved in securing their data and hoped paying our money to a third party that made the right noises is all that was required. They will likely just pay that same third party more money and hope the problem fades away, still with no idea of what is required to secure our data.

Anonymous Coward
Anonymous Coward

Re: pay that same third party more money and hope the problem fades away

"They will likely just pay that same third party more money and hope the problem fades away, still with no idea of what is required to secure our data."

Just like outsourcing in general then. You can outsource the work and pay the money to some other organisation, but you can't outsource the responsibility, and usually you can't outsource the risk either (that's not what outsourcers do, is it).

John Smith 19
Gold badge
Unhappy

"and usually you can't outsource the risk either"

Yet curiously that seems to remain part of the pitch for all these PFI type deals

PFI ==> Profit through Ignorance

frank ly
Silver badge

Stolen?

Did they actually steal it (deprive the owner of the use of it) or did they illegally copy it?

Dan 55
Silver badge

Welsh Ambulance Services National Health Service Trust

They are one of the 48 government departments who can access your Snoopers Charter records.

I'm sure the Data Protection Act 1988 has got us covered.

Aristotles slow and dimwitted horse
Silver badge

Welcome...

Welcome to your private sector NHS. Welcome to the future.

Rich 11
Silver badge

Re: Welcome...

Look, it's just a simple example of the ongoing monetization of data, that's all. Nothing sinister. If anything the company failed to ensure that they received a cut, but don't worry, the invisible hand of the free market will punish them for that.

</sarc>

Anonymous Coward
Anonymous Coward

Re: Welcome...

The only viable solution would be to have a nationally run monitoring service, which may in the end cost more. From what I gather the cost per trust is fairly small for these dose monitoring badges etc but it's also likely not only to affect NHS but also private companies - who won't tell the ICO.

Think about it, private hospitals and potentially nuclear facilities..

fruitoftheloon
Thumb Up

@AC: Re: Welcome...

AC,

yup, wifey is a medical physicist, she and her colleagues have these whizzy doo-dah badges that keep track of radioation [wot with all those linear accelerators, and isotopes to hand that are used for cancer treatment]

As to the NHS having a f'ing clue about running it themselves, every trust would do it a different way, with a different supplier, AT MUCH HIGHER COST.

They still insist that all PCs in the trust are kept on 24/7 as there could be a an update that needs dropping on them urgently, I wonder what the marginal cost of 'leccy is for that?

/rant over

Robert Helpmann??
Silver badge
FAIL

Re: Welcome...

[I]t's just a simple example of the ongoing monetization of data, that's all. Nothing sinister.

Cognitive Dissonance Error [E000001984]. Immediate cerebral shutdown!

Anonymous Coward
Anonymous Coward

Re: Welcome...

But why does the monitoring service need names and addresses? Surely a unique ID which links to the staff details held centrally (and the badge ID) is all that's required?

Jason 24

Re: @AC: Welcome...

"They still insist that all PCs in the trust are kept on 24/7 as there could be a an update that needs dropping on them urgently,"

That's run slightly contrary to their change control management which takes weeks to approve even a simple change.

There's a very good chance the left and right hand aren't aware of each others existence of course.

Anonymous Coward
Anonymous Coward

Re: Welcome...

But why does the monitoring service need names and addresses? Surely a unique ID which links to the staff details held centrally (and the badge ID) is all that's required?

^^ It doesn't but seeing as the unique ID would have to be agreed across NHS Wales, England and Scotland that's a problem, a lot of trusts a lot of boards and a lot of CCGs willing to share data. I agree it's logical but so is the supplier having better IT and information security procedures in place.

They need to track where people work as the radiation dose information has to move with them if they move employer, dangerous stuff radiation.

Anonymous Coward
Anonymous Coward

Re: Welcome...

The unique identify is not agreed nationally, it is agreed by whoever is in control of the hospital's personal dosimetry provision, some of us made certain that the unique identifier was their payroll number, which identifies the individual in the that particular trust but not useable if stolen. For the vast majority of employees there is no need for radiation dose information to be tracked as this is only required by staff who received a high enough dose to be a 'classified worker'. The reason the breach occurred was an employee of the company that provided Landauer with their UK server service did not follow the companies security procedures. The service provided by landauer is actually very good and they are simply a supplier.

Bob Rocket

Bandits

Has anybody noticed that Experian seem to make out like bandits whenever there is one of these (routinely common) data breaches ?

Adam 52
Silver badge

Re: Bandits

Indeed. If I were one of those affected I'd be pretty upset by the breach having been compounded by a second leak to Experian.

Buzzword

NI number? Why?

Why the blazing heck does a dosimetry company need to know people's NI numbers?

RogerT

Re: NI number? Why?

Why the blazing heck does a dosimetry company need to know people's NI numbers?

That was my immediate reaction. I suspect that this is an excessive amount of data being stored for this particular purpose. A staff number is probably reasonable but not an a NI number.

Richard 26

Re: NI number? Why?

It is a requirement that your lifetime dose records are taken. Yes, theoretically you could do it by assigning a separate unique lifetime number that all employers and providers of dosimetry service agree on. In practice, the NI number is it: http://www.hse.gov.uk/pubns/irp2.pdf

Yes, mine too. Also innumerable henchmen who work in secret underground bases in a volcano will also doubtless have had their name and address disclosed.

Adam 52
Silver badge

Re: NI number? Why?

Hmm. Nobody who pays tax outside of the UK and Channel Islands has ever worked with radiation?

Doesn't seem a very robust identifier.

Pascal Monett
Silver badge

"a large global company holding data on individuals in many countries across the world"

Meaning, a company that has the means and resources to ensure that something like this does not happen.

Which, subsequently, makes the breach absolutely inexcusable.

Then, of course, comes the laundry list of technical questions, including the most important : was the data encrypted and, if not, why not ?

Given the number of people affected, it would be proper to see the board resign in its entirety regardless of whether there is a proper explanation or not. That, of course, will never happen.

Anonymous Coward
Anonymous Coward

"see the board resign in its entirety regardless" @ Pascal Monett

"see the board resign in its entirety regardless"

If resignation doesn't suit them, perhaps they'd like a dose of their own:

https://www.youtube.com/watch?v=A4UxyFuhc9A&t=109

Still, with BannonTrump and MayFarr in charge we don't need to worry about that kind of thing do we.

Anonymous Coward
Anonymous Coward

Experian

" checking their credit ratings. "

as a matter of interest, what's the penalty paid by a credit ref agency that stores and or publishes false data about someone, and do they not have at least some responsibility to check the data they make available?

Walter Bishop
Silver badge
Terminator

Thousands of NHS staff details nicked

"The personal information of thousands of medical staff in Wales, UK, were stolen after an IT contractor's server was hacked."

Do you mean the servers were hacked and the records were illegally copied by some unknown entity to an unknown location. What exactly was the nature of the breech and what steps did Landauer take to secure its servers?

EnviableOne
Bronze badge

Re: Thousands of NHS staff details nicked

The answers to these questions, its likely we will never know, seeing as the breach happened in October and NHS Wales found out in January and we are only finding out it happened now.

Anonymous Coward
Anonymous Coward

Re: Thousands of NHS staff details nicked

Malware installed after anti-malware protection and an "unauthorised firewall change" was made. It seems the firewall change took place some time prior to the attack itself and the malware was your generic get in/copy/try to self-replicate sort so we've no idea if the data has been used or will be.

In truth NHS Wales probably got the same generic BS letter that Scotland and England got, which gave sweet FA detail and then had to chase up the company - only to find out they'd outsourced the handling of the incident to a group of lawyers (Yay america!) who were completely useless when it came to providing information. It took them nearly 2 months to reply to my 5 single questions e.g. Why has it taken you 3 months to tell us our data has been lost?

Anonymous for obvious reasons.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018