Technorati Tag: Security Breach
Date Reported:
1/23/08
Organization:
Specsavers Optical Group
Contractor/Consultant/Branch:
None
Victims:
Patients
Number Affected:
more than 340
Types of Data:
"names, addresses, dates of birth, home and mobile phone numbers and conditions"
Breach Description:
A memory stick was found last August (2007) in a Stockport (UK) car park which contained sensitive personal information belonging to Specsaver diabetic patients. The person that found the memory stick forgot she had it until "she read about recent data loss scandals". Neither the owner nor anyone else suspected or noticed it missing.
Reference URL:
Manchester Evening News story
Report Credit:
Amanda Crook, Manchester Evening News
brought to the attention of The Breach Blog by an informed reader.
Response:
From the online source cited above:
A COMPUTER memory stick holding confidential medical information and personal details of hundreds of people was found in a car park.
The names, addresses, dates of birth, home and mobile phone numbers and conditions of more than 340 patients were on the device
no one had noticed it was missing even though it had been lost for several months.
Health bosses have launched an investigation
Most of the patients listed have diabetes and were part of a trial in preparation for a scheme providing eye tests for more than 10,000 people across Greater Manchester
The data stick contains encryption software but this had not been activated, meaning anyone could access the information
It is understood that the information on the memory stick relates to patients of Specsavers at 17 The Birtles in Wythenshawe
Health bosses will urgently write to all the patients involved to apologise and arrange to address any concerns.
The device was found in a Stockport car park.
Student Karen Hewitt, 30, from Burnage, found the memory stick behind Stockport Precinct last August but then forgot about it until she read about recent data loss scandals.
She said: "When I opened the file and saw a list of names and personal details I was shocked."
[Evan] Hah! I would have been too. I am often shocked when I find some of the things I find when conducting information security assessments and audits.
Managers of the regional sight testing project say the data was collected by opticians when the scheme was at pilot stage. Now they have tough security measures to protect their data base so they say a similar breach could not happen again.
[Evan] I don't know about you, but I would be interested to know what the "tough security measures" are!
Laura Roberts, chief executive of Manchester Primary Care Trust, said: "Because this incident relates primarily to Manchester patients, we will be conducting a full investigation."
Mike Burrows, head of the screening programme, said: "We were not aware there had been any loss of data and would like to thank the M.E.N. for bringing this to our attention.
"I can reassure any patients now going through the screening that their data is secure."
Anthony Showman, director of Wythenshawe Specsavers, said: "We were completely unaware that any patient data had been mislaid. We are launching an immediate internal investigation to try to ascertain how this information could have come into the public domain.
[Evan] Well for starters, somebody copied the data to a thumb drive and took it out of the office!
"We would like to reassure all our customers that Specsavers patient records are kept confidential and are 100 per cent secure at all times and that these records were part of the Manchester Diabetic Screening Scheme, not Specsavers' customer records."
[Evan] Say what? "100 per cent secure at all times"?! There is absolutely NO WAY to ever be 100% secure. This statement alone demonstrates a complete misunderstanding of information security.
Commentary:
Who's going to notice a missing memory stick? Corporate IT probably wouldn't. Memory sticks are inherently dangerous to information security. They are small, hold a ton of information, and are often used by poorly trained personnel.
The one statement that sticks out for me is "100 per cent secure". Understand that there is no such thing as 100% secure. Anyone who believes to the contrary is suffering from a false sense of security.
Information security is an art. The art entails "best practices" and risk management (among other things). At The Breach Blog, we write about many breaches where no best practices were followed and no risk management applied.
Past Breaches:
Unknown
Date Reported: 1/23/08
Organization:
Specsavers Optical Group
Contractor/Consultant/Branch:
None
Victims:
Patients
Number Affected:
more than 340
Types of Data:
"names, addresses, dates of birth, home and mobile phone numbers and conditions"
Breach Description:
A memory stick was found last August (2007) in a Stockport (UK) car park which contained sensitive personal information belonging to Specsaver diabetic patients. The person that found the memory stick forgot she had it until "she read about recent data loss scandals". Neither the owner nor anyone else suspected or noticed it missing.
Reference URL:
Manchester Evening News story
Report Credit:
Amanda Crook, Manchester Evening News
brought to the attention of The Breach Blog by an informed reader.
Response:
From the online source cited above:
A COMPUTER memory stick holding confidential medical information and personal details of hundreds of people was found in a car park.
The names, addresses, dates of birth, home and mobile phone numbers and conditions of more than 340 patients were on the device
no one had noticed it was missing even though it had been lost for several months.
Health bosses have launched an investigation
Most of the patients listed have diabetes and were part of a trial in preparation for a scheme providing eye tests for more than 10,000 people across Greater Manchester
The data stick contains encryption software but this had not been activated, meaning anyone could access the information
It is understood that the information on the memory stick relates to patients of Specsavers at 17 The Birtles in Wythenshawe
Health bosses will urgently write to all the patients involved to apologise and arrange to address any concerns.
The device was found in a Stockport car park.
Student Karen Hewitt, 30, from Burnage, found the memory stick behind Stockport Precinct last August but then forgot about it until she read about recent data loss scandals.
She said: "When I opened the file and saw a list of names and personal details I was shocked."
[Evan] Hah! I would have been too. I am often shocked when I find some of the things I find when conducting information security assessments and audits.
Managers of the regional sight testing project say the data was collected by opticians when the scheme was at pilot stage. Now they have tough security measures to protect their data base so they say a similar breach could not happen again.
[Evan] I don't know about you, but I would be interested to know what the "tough security measures" are!
Laura Roberts, chief executive of Manchester Primary Care Trust, said: "Because this incident relates primarily to Manchester patients, we will be conducting a full investigation."
Mike Burrows, head of the screening programme, said: "We were not aware there had been any loss of data and would like to thank the M.E.N. for bringing this to our attention.
"I can reassure any patients now going through the screening that their data is secure."
Anthony Showman, director of Wythenshawe Specsavers, said: "We were completely unaware that any patient data had been mislaid. We are launching an immediate internal investigation to try to ascertain how this information could have come into the public domain.
[Evan] Well for starters, somebody copied the data to a thumb drive and took it out of the office!
"We would like to reassure all our customers that Specsavers patient records are kept confidential and are 100 per cent secure at all times and that these records were part of the Manchester Diabetic Screening Scheme, not Specsavers' customer records."
[Evan] Say what? "100 per cent secure at all times"?! There is absolutely NO WAY to ever be 100% secure. This statement alone demonstrates a complete misunderstanding of information security.
Commentary:
Who's going to notice a missing memory stick? Corporate IT probably wouldn't. Memory sticks are inherently dangerous to information security. They are small, hold a ton of information, and are often used by poorly trained personnel.
The one statement that sticks out for me is "100 per cent secure". Understand that there is no such thing as 100% secure. Anyone who believes to the contrary is suffering from a false sense of security.
Information security is an art. The art entails "best practices" and risk management (among other things). At The Breach Blog, we write about many breaches where no best practices were followed and no risk management applied.
Past Breaches:
Unknown
