back to article You know me, I don't know you: Hospital reportedly raps staff for peeking at Ed Sheeran data

Two UK hospital workers have reportedly been disciplined for accessing Ed Sheeran's personal details after he was admitted following a bicycle accident. The carrot-mopped guitar-botherer was treated at Ipswich Hospital last year for a broken wrist and elbow. ed sheeran Spotify wants to go public but can't find Ed Sheeran (to …

  1. Ensate

    Maybe they thought something was in his bloodstream.....

    1. wolfetone

      Maybe they could've told him when it kicks in?

  2. Anonymous Coward
    Anonymous Coward

    Don't

    I'm actually quite impressed that they could detect such access - everything has changed since I worked on NHS projects. I'm thinking out loud, but it looks like they had the A-Team in the watchtower.

    1. Anonymous Coward
      Anonymous Coward

      Re: Don't

      I'd bet money the breech was identified through word of mouth (gossip), and someone reported it, rather than a technical solution flagging up access.

      1. Doctor Syntax Silver badge

        Re: Don't

        "I'd bet money the breech was identified through word of mouth"

        In the maternity ward?

      2. Anonymous Coward
        Anonymous Coward

        Re: Don't

        @I'd bet money the breech was identified through word of mouth (gossip);

        You're suggesting they might have been illegally sheeran patient data?!

    2. Adam 52 Silver badge

      Re: Don't

      They could only detect two. How many hundreds actually looked using the unlocked terminal or the generic username/password on the post-it note.

  3. Anonymous Coward
    Anonymous Coward

    Surely the hospital should be implementing a system that ensures confidentiality and privacy for all patients, that way everyone is protected, and those people with higher, or public profiles, are not treated any differently.

    Protection for all, not just those deemed worthy.

    1. DavCrav Silver badge

      "Surely the hospital should be implementing a system that ensures confidentiality and privacy for all patients"

      No. A hospital is an obvious case where all data needs to be accessible, because they have literally life-or-death emergencies there where a patient's data needs to be available right the fuck now, not in a few hours once you have gone through the correct procedures, or even in a few seconds. Any delay means potential deaths.

      What you can have is a logged system, which allows anyone access now, and then fires you later if you abuse it. Which it apparently already has.

      1. Anonymous Coward
        Anonymous Coward

        DavCrav, No.

        If i'm in hospital, hung on the end of my bed are the notes pertinent to the reason I'm in there, along with other key details, there for anyone to pickup. They are there for the reasons you describe.

        My records however are probably in a big brown folder, stored miles away, if you've been in hospital you'll know it takes bloody ages anytime these need referred to. If you're (un)lucky they may be electronic and again take ages to refer to.

        A hospital (NHS data) is an obvious case where data needs to be accessible to the right people at the right time, not a free for all to all staff just in case, luckily its already more secure than that and clearly needs to be made more so.

        1. Peter2 Silver badge

          @ Anonymous Coward.

          Having worked in NHS IM&T I can inform you that at least part of your records went electronic a really, really long time ago. Take a look at EMIS for a good example. EMIS entered the market in 1987. (https://www.emisgroupplc.com/who-we-are/our-history/) and around a decade or so ago had about 90% market share in our county because it was designed by doctors for doctors, and actually worked flawlessly unlike some of the competitions products.

          There is a basic need to know things like allergies to drugs that most people forget, but your doctor logged on your file.

          Just as a "for instance", possible but mildly rare side effects for morphine include a heart attacks, seizures, and anaphylactic shock. Somebody coming in with serious injuries screaming with pain and needing painkillers is unlikely to be in the right frame of mind to provide such information, so it's in a summary care record so that the people who need to know have the information when they need it.

          Unauthorised use of patient data is of course severely punishable, and as noted in this story it does tend to actually work. Yes, trivia about stuff that happened about 30 years ago is held on a paper file because chances are that nobody can be assed to scan literially millions of old paper files for no particular reason. If it turns the ancient history is in fact needed, then somebody can always pull the paper file.

          1. Anonymous Coward
            Anonymous Coward

            > it's in a summary care record so that the people who need to know have the information when they need it.

            ... and so that it can be sold on to corporations ("secondary uses")

          2. HmmmYes Silver badge

            Ah EMIS.

            Get On!

          3. Anonymous Coward
            Anonymous Coward

            Take a look at EMIS for a good example. EMIS entered the market in 1987. (https://www.emisgroupplc.com/who-we-are/our-history/) and around a decade or so ago had about 90% market share in our county because it was designed by doctors for doctors, and actually worked flawlessly unlike some of the competitions products.

            I beg to differ. I've installed the Emis client on many machines , and reinstalled on almost as many as often that seems to be the only way to "fix" it when it refuses to work.

            The most common problem is just NOTHING HAPPENING when you try start it , this can be for a variety of reasons but no errors are fed back. a simple "cannot contact server , check network cable" wouldnt hurt.

            ...and! ..and! get this - it has a sort of Launcher thing rather than just running like a normal app.

            The Launcher has the gall to put up a message saying something like "Emis will start shortly"

            LIKE ITS UP TO THE PROGRAM IF IT WANTS TO START!!!

            Most of us have come to read the message as "Emis may start after an indeterminate amount of time , or more likely nothing will start except some sort of framework exe detectable only with task manager"

            And why is it that you log in with name , password , and a code for your area/dept

            yet if you want to to log into a different area you have to load up a different emis program called "department swapper" or something , and tell it the code for the dept you will be logging into next time you launch emis.

            SO WHY is there a dept field on the logon box?

            Given that that that field IS there , can emis not surmise that you want to log into dept X without you having to manually tell it before hand?

            </rant>

        2. Korev Silver badge

          My records however are probably in a big brown folder, stored miles away, if you've been in hospital you'll know it takes bloody ages anytime these need referred to. If you're (un)lucky they may be electronic and again take ages to refer to.

          After graduating I worked in a "library" as you describe. This particular library was on a different site to the A&E unit, so from time to time an urgent request came through which would be found ASAP and then transferred by taxi. They were just about to start digitising the records when I moved onto a graduate level role.

          They operated a reasonably sane way of protecting "famous"* records, they kept them in the locked when empty supervisors' office and were then fetched by senior people when needed.

          *Famous = the odd minor celeb, the local football team and an (in)famous criminal** living at Her Majesty's pleasure

          **You'd have heard of him if you're British; but for obvious reasons I won't name him

        3. Anonymous Coward
          Anonymous Coward

          My records however are probably in a big brown folder,

          God, I hope not. I can only speak for the hospitals we own, but your records would be available immediately to anyone involved in your care.

          I go to Vanderbilt hospital here in Nashville, and no matter which facility I go to (usually 30 - 40 miles away from Vanderbilt since I live out in the sticks), they bring up my complete records as soon as I show up.

          If I get an XRay or other test done here at a small outpatient facility, it is generally reviewed by someone at the main Vanderbilt facility: before I leave, if it's urgent or the next day if not.

          Also, I can login over the internet and see my own records.

          Like I said, that is the standard for the 40+ hospitals/600+ clinics we own (Vanderbilt is not one we own - I go there because we don't actually own a hospital in Nashville). I had assumed that was pretty much the standard everywhere for large healthcare providers.

          1. Anonymous Coward
            Anonymous Coward

            Re: My records however are probably in a big brown folder,

            I recently wrote to NHS england asking them how I could get a copy of my records - because they boast that patients and staff can have easy access to records.

            But the records seem to be split into stuff that happend at

            - hospital

            -Doctor

            -dentist

            -drop in centre

            -etc etc

            Hence i emaild then to see how to bring it all together , 3 days later got a reply advising me thay would reply ... nothing since

      2. Psyphr Guy

        I think Anon Co was referring to the fact that such controls should provide the same level of protection for all patients, rather than reviewing special controls for celebs and high profile characters.

        The article suggested that there would be extra for those in the public eye.

        My question would be what determines that decision who gets that special treatment.. and if such addition measures are deemed necessary how is that applied retrospectively and tracked going forward? Seems it would be unenforceable given what you say that access is needed for those emergency cases.. which of course is a totally valid scenario.

        Qudos for them picking it up and auctioning on it.. I’d speculate they were dobbed in by a colleague with a better handle on ethics, profesionalism and integrity perhaps?

        1. Baldrickk Silver badge

          such controls should provide the same level of protection for all patients, rather than reviewing special controls for celebs and high profile characters

          Agreed, but then again, someone is more likely to want to snoop on their records than mine.

          You send fire engines to the house on fire, not to all houses just in case they catch fire.

          One hopes that the system ends up covering everyone properly, but cases where people are more likely to have their personal details abused probably should take priority.

          1. Peter2 Silver badge

            To be fair EMIS LV was decomissioned in favour of EMIS Web about a decade back.

            Should this being read by any people at county PCT level, how is Emis Web doing against SystmOne these days in terms of market share?

            1. Anonymous Coward
              Anonymous Coward

              To be fair EMIS LV was decomissioned in favour of EMIS Web about a decade back.

              Should this being read by any people at county PCT level, how is Emis Web doing against SystmOne these days in terms of market share?

              Its doing well around here id say its emis 90% system1 10%

              Note my above rant about Emis *is* the new version .

              And god knows why they call it Emis web when it requires a server at each site and a client program so complicated it trips over its own shoe laces most of the time .

              Just checked the service desk - 150 emis related calls in the last 4 weeks

      3. Anonymous Coward
        Anonymous Coward

        " patient's data needs to be available right the fuck now"

        You'd think then , that they would have bought much sturdier systems than "Docman" and "Emis" which seem to be unable to record or retrieve patient data with alarming regularity.

        1. DavCrav Silver badge

          "You'd think then , that they would have bought much sturdier systems than "Docman" and "Emis" which seem to be unable to record or retrieve patient data with alarming regularity."

          Sure, that's why the NPfIT... oh never mind.

    2. lafnlab

      Maybe the NHS is using different software, but in the US most hospitals have software that logs anytime someone's medical record is accessed. If they're not involved in the care of the patient, they're not supposed to access it. It's sort of an honor system - the software won't stop people from looking - but if they're not involved with the patient's treatment, they could be fired and/or sued.

      Also, employees aren't supposed to look at medical records of family, friends, or anyone else they're not treating.

      I deal a lot with HIPAA, and most hospitals are very serious about patient privacy.

      1. EnviableOne Bronze badge

        As I currently workin Information Security in the NHS i can confirm this is how it is dealt with.

        Basically anyone can access a patient, as the time taken approving someone's access in the case of an emergency may be the difference between life and death, but this is heavily audited and we check those logs on a regular basis.

        NHS policy states that all staff are bound by the common law duty of confidentiality, and that individual records should only be accessed for direct patient care

        If anyone is discovered having accessed patinet records outside this specific purpose, they are subject to discaplinary, and as seen in this story, it is treated seriously, and always reported to the ICO.

        This does not only happen for celebrities, if you look at the ICO website, you will see that several former Healthcare employees have been prosecuted.

        https://ico.org.uk/action-weve-taken/enforcement/?facet_type=Prosecutions&facet_sector=Health&facet_date=&date_from=&date_to=

        1. Anonymous Coward
          Anonymous Coward

          >>As I currently workin Information Security in the NHS i can confirm this is how it is dealt with.

          In that case, you probably know that the logs are meaningless, the shonky (archaic, unpatched) Citrix infrastructure can't reliably maintain sessions so people just stay logged on - or don't have time to take the risk of logging off and on again, using whatever session is available, if IT support can be arsed to pick up the phone (don't bother trying when the pubs open) they might just be able to kill off a session so you can log on cleanly after 45 minutes (once they have gone through the switch it off and on routine - the IT Crowd is literally a documentary).

          McDonlads have a better signon and logging system.

      2. macjules Silver badge

        Luckily we have GDPR where hospitals are now financially liable for breaches of patient data.

        I managed to write that with a straight face ..

      3. Anonymous Coward
        Anonymous Coward

        @ lafnlab

        "Also, employees aren't supposed to look at medical records of family, friends, or anyone else they're not treating."

        In UK if you have a relative working in the hospital it's a good idea to speak to them (and give them rights to look at your data) - they know the system and the staff, and so if you are e.g. on a ward with dullards in change then your relative can keep them on their toes & ensure you get as good a treatment as possible (given the NHS being low on staff & cash the best treatment is often impossibley as too costly - cheers NICE)

        AC obviously

  4. Crisp Silver badge

    Makes me wonder how much of this goes on at police stations

    There must be a lot of temptation there.

    1. Anonymous Coward
      Anonymous Coward

      Re: Makes me wonder how much of this goes on at police stations

      I have no idea. However I do know you probably should not upset your x if they work at a bank.

    2. Jason Bloomberg Silver badge

      Re: Makes me wonder how much of this goes on at police stations

      There is temptation and curiosity everywhere; anywhere where records are held and are accessible.

      It is up to people to overcome their temptations and put curiosity aside, backed-up by having systems in place which identifies failures and f appropriately punishes those when they occur.

      People have to earn the trust others put in them, but we also have to accept that people are only human and naturally curious, that stupid one-off mistakes do happen in the heat of the moment. The punishment has to be fair and reflect the damage done to trust, the intent, and the consequences.

    3. LucreLout Silver badge

      Re: Makes me wonder how much of this goes on at police stations

      Makes me wonder how much of this goes on at police stations

      There must be a lot of temptation there.

      My only source for this is a friend who is a serving officer.

      Access is logged and auditted regularly. You can be questionned about your access to records and need to be able to show they relate to an active investigation. Penalties for violations can be rather severe. That, of course, is not to say that it doesn't happen, but if detected it is always dealt with harshly (and quite rightly so).

  5. Gordon Pryra

    One reason the NHS should not have access to medical data

    The NHS cant be trusted with your data. They really can't, they don't understand security nor would they care if they did.

    The moment your information enters their system it may as well be open source.

    If its not sold on to the likes of Google, its read by anyone who wants to within the organisation.

    Back to my point, the NHS is not able to protect your data, every man and his dog has access to their systems. When I have worked there I have seen generic accounts being created for internal systems to "make things easier" for the operators. User1 Passw0rd

    So no tracking of how reads it, no accountability, no care at all of the data that comes into their incompetent hands.

    Someone I know very closely used to be a receptionist at a Doctors, she had printouts of all her friends medical information..

    Seems like every couple of years you see an attempt to get our data, like the last time, to "consolidate" all data to a single datacenter or whats happening currently, trying to guilt people into handing over the data that they will already have hived the rights too off to Google

    This morning on the radio some idiot was saying how 10's of thousands of lives could be saved if only they had all our data to play with. And that data is anonymised!!

    Which begs the question how they will save people if they don't know who they are. Yeah yeah I know that's not what they meant, but still, I bet if I had asked the Politico what they meant they would have looked at me blankly and mumbled A.I. then accused me of treason and of having something to hide just before they head out to lunch with the rep from Zuric or Axa

    1. Anonymous Coward
      Anonymous Coward

      Re: One reason the NHS should not have access to medical data

      A doctors surgery is not part of the NHS, they are independent contractors. I do work in the NHS and we do take a serious approach to handling data and ensuring it is protected.

      1. Anonymous Coward
        Anonymous Coward

        Re: One reason the NHS should not have access to medical data

        I was recently offered a small project working with patient data. I ran a mile 'cause this is life & death stuff.

    2. HmmmYes Silver badge

      Re: One reason the NHS should not have access to medical data

      Nope.

      You have meta data which will record the date, the login and which terminal was used to access medical records.

      Then, in the case of breach resulting in Ed's info being leaked, you track the person down and jail them.

  6. Fizzle
    Holmes

    Celebrity databases

    A very large Govt Dept that I was blessed to serve in for 40+ years had a database of all celebrities, people in the news, politicians, staff members and immediate family etc etc. Certain staff would trawl all the papers and online trending stuff and add the details to the database.

    A program would then cross-reference every single search made by any one of the 70K+ employees and if there was a match, the employee would be summarily dismissed. To avoid dismissal, one had to demonstrate unequivocally that there was a legitimate business purpose for the access. Woe betide you if you forgot to keep a personal note of why a particular person's details were accessed and then try and remember the reason weeks later!

    As far as I know, that was a model for the NHS and Police and it, or at least the principle behind it, still is I think.

    1. tip pc Bronze badge

      Re: Celebrity databases

      @Fizzle

      is that hearsay or where you called to explain yourself or knew anyone that was, or did you work on that DB or add data youself?

      I've worked around a bunch of HO / Gov Depts and never saw or came across anything like that, heard plenty of tales about people being caught for eBaying Gov property though but that didn't seem to stop the breakers eBaying gear that had data still on it!!!

      1. Fizzle

        Re: Celebrity databases

        It really is true, and that's all I can say about it really, for obvious reasons.

        However there is an amusing follow-up. When the search engine was introduced, (this was before Data Protection laws had been put in place), the staff were encouraged to "play" with the system to gain speedy working knowledge. So of course everyone accessed all the celebrities etc.

        Someone at Head Office realised what was going on and introduced the security protocols to stop that. And then introduced the instant dismissal protocols to go with it!

      2. Doctor Syntax Silver badge

        Re: Celebrity databases

        "I've worked around a bunch of HO / Gov Depts and never saw or came across anything like that"

        Neither have I but my instant reaction was HMRC! Or its predecessor, IR.

  7. SVV Silver badge

    What an unimaginative lot

    I mean, if you're going to have an unauthourised snoop at some famous bod's details, choose a better target than Ed "interesting" Sheeran.

    1. horse of a different color

      Re: What an unimaginative lot

      Yes, I'd like to see Bono in hospital. (I'm not so bothered about seeing his medical records, tho).

  8. Herring`

    Sheeran?

    I'm not really familiar with his work, but he doesn't look the sort to have very interesting medical records.

    1. disgustedoftunbridgewells Silver badge

      Re: Sheeran?

      His ailment is clear to anybody with eyes.

      If he didn't want it to be known, there are products available from reputable manufacturers such as Schwarzkopf.

    2. Anonymous Coward
      Anonymous Coward

      Re: Sheeran?

      And I really doubt they have the size of his schlong in them anyway.

      What was the conversation around looking at his records like, anyway? I can't imagine it's all that thrilling:

      1: "Look up his blood type"

      2: "Here it is - O negative"

      1: "Ooh, universal donor! I'll do a blood draw on him any time!"

      2: "And he still has his tonsils!"

      1: "I'd remove them with my tongue if he wanted me to!"

  9. Psyphr Guy

    It’s a consent form, honest!

    Excuse me mr Sheeran, could u just sign the consent form for me please.. oh and dedicicate it to my mum that’d be great.. she’s a massive fan, thanks!

  10. Wellyboot Silver badge
    Big Brother

    He has records? Lucky chap!

    I recently contacted my GP for the list of (many over decades) inoculations I've had and was informed that they couldn't find any medical file for me dating from before I registered with them a couple of years ago. (contacting previous GP of 25 years turned up blank as well)

    One can assume the tome now resides in storage, misfiled for eternity. I'm rather glad I don't (fingers crossed) have any issues for this to be fatal, others in this situation may be playing russian roulette on emergency admission.

    At least I now know that there's currently zero gossip or financial value in my records.

    1. Korev Silver badge

      Re: He has records? Lucky chap!

      One can assume the tome now resides in storage, misfiled for eternity. I'm rather glad I don't (fingers crossed) have any issues for this to be fatal, others in this situation may be playing russian roulette on emergency admission.

      As I mentioned above, I temped in a hospital records library for a while; there was a double-sided shelving unit, maybe 8m long, 2.5m high with individual bits of paper that had not been labeled properly. As temps we were also sent to look for notes which had been put in the wrong place, for example for #10020 you'd check #10200, #10002 etc.

      We also spent a long time (two of us for a week) searching for a deceased baby's notes which was the subject for an inquiry. I have no idea if these notes were they'd been "accidentally" mislaid or not.

    2. A Non e-mouse Silver badge

      Re: He has records? Lucky chap!

      I had a job working in a doctors surgery. It was surprising how often they failed to find patients records. Some were literally found down the back of the filing cabinet.

  11. rg287 Silver badge
  12. Anonymous Coward
    Anonymous Coward

    Your own record

    I work for an NHS Trust and it is a disciplinary offence to even look at your own record.

    This is policed heavily.

  13. Anonymous Coward
    Anonymous Coward

    I presume the investigation was kept fairly quiet, otherwise it would have been easy for the staff members involved to get away with it. How? Just write up the case without including the patient details, and they could have claimed they were using it for professional development.

    I've slightly bent the rules a couple of times for friends, but only to the extent of finding out whether the results of tests are available and which doctor they've been sent to.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019