Rotherwood Healthcare AWS bucket security fail left elderly patients' DNR choices freely readable online A leak of 10,000 records at a Leicestershire care home provider exposed elderly patients' wishes not to be resuscitated, detailed care plans and precisely how much councils paid for individual patients' care. Not only did Rotherwood Care Group, trading as Rotherwood Healthcare, leave an Amazon Web Services S3 bucket accessible …
Social care in this country had been crippled from a decade of austerity. If you know anyone who works in the industry you don't need me to tell you that.
Hire care staff to actually wipe arses or spend the money on someone technical, you can't afford both.
So the bastards trying to make money off this shit show cut corners? Maybe time to bring it back under public ownership so we can concentrate on care not profit? You can moan and bitch about the unions in the 70s but everyone was entitled to a home, an education and health care. What the fuck do you get these days?
Their privacy policy still translates as follows:
Antioxidants such as at football. In addition, important long-start. Present sterilized chocolate policies. But the developer microwave bananas gravida carrots does not trigger the borders of. Or they may present clinical sapien innovative vehicles. No bananas biggest casino. It is just as easy, carrots orange lion. Mid need of peanut. A smile to sit enforcement does not always need a wireless network. The latest football peanut zero.
According to google anyway. I'm not sure it is the most accurate translation it's ever done.
Exceedingly personal patient details left on open web... Threatening lawyer's letters... Stay classy Rotherwood Healthcare!
No doubt the ICO will fail to fine them the apropriate max GDPR fine and their laissez-faire attidute to potentially vulnerable people's data will continue. This is common in care sector IT (which I recently left).
"We are unaware of any abuse of data."
Well d'uh. Is that because you were also completely clueless that your data was out there and wide open?
Mind you, in the interests of "open and transparent government", maybe it's a good thing that the costs charged to the Council are widely published.
“We at Rotherwood Group take the protection of personal data very seriously. Once we became aware of a security issue affecting some data held on our cloud-based system, we took immediate steps to rectify it."
Rectifying after someody else finds your mistake is not taking protection seriously. Taking protection seriously is not making such a mistake in the first place.
"There is no excuse in this day and age for AWS buckets to be left unsecured. Amazon provides tools for detecting and closing off inappropriately opened buckets..."
The thing is, I used to think this was missing. Well, maybe it once was. And, I suppose it could be better.
Yet more and more, it seems that there are too many out there throwing together projects at a level that is of the Dunning-Kruger variety.
AWS could well require a check box for a disclaimer form that would require acknowledgement that reasonable security scanners, development principles, and testing must be employed. But, we live in a click-through World.
There is no excuse in this day and age for AWS buckets to be left unsecured. Amazon provides tools for detecting and closing off inappropriately opened buckets...
You still miss the point, El reg. There is no such thing as an AWS bucket being "left unsecured". It takes a fair amount of active work on behalf of a user to make an AWS bucket insecure, by default they are completely locked down.
I second this second comment! Last year at an AWS shindig they pointed out the steps they have taken to stop this sort of thing happening. They even showed us how many hoops you have to jump through to make an S3 public.
Depeending how old the config is, you have to wonder if someone fudged the S3 to make it public as they couldn't be bothered to do it properly...
You may be mixing up medics who are careless with patient data, with medics who turn whistleblower, are sacked, forced out of their career and then vigorously pursued through the courts, threatened with financial ruin, etc. (Search Chris Day whistleblower for just one example.)
Wow!
Disclosure of your information
We may share your personal information with any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the Companies Act 2006. We may share your information with selected third parties including:
Business partners, suppliers and sub-contractors for the performance of any contract we enter with them or you
Third parties who may wish to contact you in respect of services or products they offer or sell which may be of interest to you, provided we receive your consent to such disclosure; and/or advertisers and advertising networks that require the data to select and serve relevant adverts to you and analytics and search engine providers that assist us in the improvement and optimisation of the website
Please note we may need to disclose your personal information where we:
Sell any or all our business or assets or we buy another business or assets in which case we may disclose your personal data to the prospective buyer or seller
Are under a legal duty to comply with any legal obligation or to enforce or apply our terms and conditions; or
Need to disclose it to protect our rights, property or the safety of our customers or others, including the exchange of information with other companies, organisations and/or governmental bodies for the purposes of fraud protection and credit risk reduction
Just by the bye:
> elderly patients' wishes not to be resuscitated
UK people should be aware that while they may express a preference, the DNR decision and authority is solely the doctor's.
To be clear: you can tell your doctors and hospital you wish to be resuscitated --even put it in writing-- it doesn't matter. Whatever the doctor feels like jotting on your chart, that's it.
That's quite common - in our research sample about 2%.
I guess web developers have taken on board the "need for a privacy policy" and stuffed it into their templates but the client doesn't give two hoots and forgets to provide one.
The GDPR hasn't exactly failed, it's just not being used, but as it's effectively not policed nobody has noticed.
Rotherwood Healthcare's online privacy policy. It can be read here.
Er...
Your connection is not secure
The owner of rotherwood-healthcare.co.uk has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.
Learn more…
Report errors like this to help Mozilla identify and block malicious sites
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
