<![CDATA[[SecurityRatty] tag: bolton]]> http://securityratty.com/tag/bolton Thu, 10 Jan 2008 11:11:36 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss <![CDATA[Castlecroft Medical Practice patient information at risk]]> http://securityratty.com/article/7d98e304d1a9c365580155e37aa7cb76 http://securityratty.com/article/7d98e304d1a9c365580155e37aa7cb76 Security Breach

Date Reported:
6/18/08

Organization:
NHS Trust

Contractor/Consultant/Branch:
Wolverhampton City Primary Care Trust
Castlecroft Medical Practice

Victims:
Patients

Number Affected:
~11,000

Types of Data:
"names, dates of birth, addresses, contact details and confidential medical records"

Breach Description:
"A laptop containing confidential medical records of all 11,000 Wolverhampton patients at a city surgery has been stolen from a GP’s house, police revealed today."

Reference URL:
The Press Association
The Express & Star

Report Credit:
The Press Association

Response:
From the online sources cited above:

A laptop containing confidential information about 11,000 patients has been stolen from a GP's home.
[Evan] This is now the 11th breach reported on The Breach Blog concerning NHS Trust and affiliated organizations.  What is the excuse?  Can the GP and/or Primary Care Trust and/or Medical Practice claim to not know the risks involved?

Contrary to Department of Health guidelines, the information was not encrypted, which would have made it unreadable without a special code to unscramble it.
[Evan] Are medical personnel aware of and required to follow the guidelines?  Are there penalties or sanctions for non-compliance?

The laptop was among items stolen in a recent burglary at the home of the unnamed doctor, who works at the Castlecroft Medical Practice in Wolverhampton.

The details of when and where the laptop was taken from are not being released, but a helpline has been launched for worried patients
[Evan] I could not find the helpline phone number; otherwise I would publish it for people.

The information on the computer, which belongs to the practice, included patients' names, dates of birth, addresses, contact details and confidential medical records.

The practice has written to all of its 11,000 patients to inform them that information about them was on the stolen computer.

Dr Peter Wagstaff, senior partner at the practice, said: "The practice is treating this issue very seriously and we are extremely sorry for any distress or concern that it may cause our patients. Though not encrypted, the confidential information on the laptop was protected by a complex password system, which only a person with specialist computer knowledge would be able to crack."
[Evan] If the organization were "treating this issue very seriously", and if it was "truly sorry" then why attempt to minimize the situation (risk) by using the password protection argument.  In my opinion (and that shared by many information security professionals), password protection is NOT an adequate preventative control to ensure the confidentiality of the information stored on a laptop computer.  This holds especially true in instances where the password protection is controlled by the operating system.  See: "Laptop stolen from a Quest Diagnostics employee" and "Not to worry: the stolen laptop was 'password-protected'".

He said the laptop appeared to have been stolen for its re-sale value, rather than for any information stored upon it.
[Evan] In my opinion, this is another attempt to minimize the situation and imply that the risk of confidential information disclosure is less than it may actually be.

Jon Crockett, chief executive of Wolverhampton City Primary Care Trust, said the trust was "extremely concerned" about the theft.

He said: "Patients and the public have the right to expect that those dealing with confidential information maintain the highest levels of security and we are carrying out a full and urgent investigation into this incident."
[Evan] Mr. Crockett makes a very valid point.

National guidance from the Department of Health is that any confidential information about patients must be stored in a safe and secure environment, and mobile devices - including laptops - which contain such data must be fully protected by encryption, he said.
[Evan] Again, Mr. Crockett seems to "get it".

Commentary:
The 11th breach for NHS Trust-affiliated organizations in less than 10 months and the fact that the cause of this one is so well publicized in other breaches does not instill much confidence.

The eleven breaches are only what has been reported on The Breach Blog, there may be more.

Past Breaches:
NHS Trust:
May, 2008 - Sandown Health Centre backup tape is missing
March, 2008 - Stolen NHS flash drive contained adolescent information
February, 2008 - Laptop missing from Russells Hall Hospital (UK)
January, 2008 - Stolen Bolton Hospitals Laptop affects cancer patients
January, 2008 - Queen Mary's Sidcup Hospital microfiche film goes missing
January, 2008 - Stockport Primary Care Trust flash drive goes missing
January, 2008 - Oldham Primary Care Trust NHS loses two data sticks
January, 2008 - Highly sensitive medical information found in the road
December, 2007 - Laptop stolen in Royal Bolton Hospital break-in
September, 2007 - Dudley Group of Hospitals NHS Patient Data For Sale on eBay

]]> Thu, 19 Jun 2008 07:54:50 +0000 information confidential information confidential information disclosure confidential information maintain practice castlecroft medical practice computer laptop computer adolescent information Castlecroft Medical Practice patient information at risk <![CDATA[Sandown Health Centre backup tape is missing]]> http://securityratty.com/article/930fdb89c35f1b9172d20874c9f9d1a1 http://securityratty.com/article/930fdb89c35f1b9172d20874c9f9d1a1 Security Breach

Date Reported:
5/19/08

Organization:
NHS Trust

Contractor/Consultant/Branch:
Isle of Wight NHS Primary Care Trust
Sandown Health Centre
City Link (the courier)

Victims:
Patients

Number Affected:
38,650

Types of Data:
Medical records

Breach Description:
"The Isle of Wight NHS Primary Care Trust and the Sandown Health Centre are taking action to reassure patients after a computer tape containing their personal details went missing."

Reference URL:
Isle of Wight NHS Primary Care Trust News
The Press Association
BBC News
eHealth Insider

Report Credit:
The Press Association

Response:
From the online sources cited above:

The Isle of Wight NHS Primary Care Trust and the Sandown Health Centre are taking action to reassure patients after a computer tape containing their personal details went missing.

The tape was sent in March to a London-based specialist GP software company who are responsible for maintaining their clinical software.

They carry out checks on computer back-up tapes to make sure they could be used effectively to restore information to the practice computer system in the event of a system failure or other emergency such as a fire.

Unfortunately, the tape has not been received back at the Health Centre, having been despatched by the company through a courier service in March.

Sent on 11 March, it took two months before the tape’s disappearance was discovered by INPS and the PCT.
[Evan] The amount of time that it took to notice that the tape was missing is cause for concern.

The tape was meant to be tracked at every stage by City Link to ensure it reached its destination - the courier firm admitted this had not happened and it is now investigating the loss.

A spokesperson said: "We are naturally very concerned by the loss of our customer’s consignment and a rigorous search for the parcel continues. We are doing everything in our power to resolve the matter and return the package as quickly as possible."

It is presumed that the tape has been lost, possibly permanently, although all possible efforts are being made to try and find it.

The tape contains medical records of 38,650 current and past patients of the Health Centre from July 1996 onwards.

It includes all current patients and large numbers of patients who registered on a temporary basis whilst visiting or working on the Island and patients who have since transferred to practices elsewhere.

It is standard practice for GPs to hold patient details for at least ten years after they are no longer registered with them.
[Evan] Some of the information on the tape dates back 12 years, but that is still in accordance with "at least ten years".

the risk of the tape being misused is extremely small

The tape requires specialist computer equipment to run it and the data is password protected.

In addition, highly advanced computer skills and/or access to a specialist programme only normally used by GPs and the data verification company are needed to make any sense of the information on the tape.
[Evan] According to the eHealth Insider story the tape was encrypted.  Is the "specialist programme"?  If this is the case, and presuming that good password management practices were followed, then I agree with the assessment that the risk of disclosure is probably small.

The PCT is working with the practice to contact as many patients as possible and is in the process of writing to those who are currently still registered with the practice.

a dedicated telephone helpline has been set up and can be contacted on 0845 602 6834 between 8am and 8pm from Monday to Friday

The Interim Chief Executive of the PCT, Margaret Pratt, said:  "Although there is very little chance of anyone being able to do anything untoward with this tape, should they find it, it is potentially a very serious loss of confidential information.

"It is important that everyone concerned continues to do everything possible to try and locate the tape and that is happening.  It is equally important that we provide reassurance to patients over the level of risk that their personal information could be misused and I am confident that risk is extremely small."

"I should stress that neither the Health Centre nor the NHS more widely on the Island are in any way responsible for this tape going missing.  However, we will, of course, be reviewing the procedures used for data verification by practices to see if there are lessons to learn."

Dr Peter Randall, Senior Partner at the Sandown Health Centre, added:  "We have another copy of the back-up tape and our main computer records system is not affected by this. So we still have access to all the information we need and patient care is not compromised in any way."

"My own view is also that the risk of any harm resulting is minimal.  My own family are registered as patients at this practice which means their details are amongst those on the tape.  I have no worries about the information falling into the wrong hands and being used improperly."

The incident comes five months after NHS chief executive David Nicholson wrote to all NHS trust chief executives telling them to review and tighten their information governance and data transfer arrangements.
[Evan] Unfortunately, it took a number of breaches before Mr. Nicholson issued his directive.  Better late than never.  He should be commended in regards to the directive.  My hope is that the NHS follows good information security governance practices and continually strives to improve their information security program(s).

Commentary:
There was no mention (unless I missed it) of encryption in the official Isle of Wight NHS news announcement.  The encryption mention comes in the eHealth Insider report.  It is also not clear what "medical records" entails exactly.

Past Breaches:
NHS Trust:
March, 2008 - Stolen NHS flash drive contained adolescent information
February, 2008 - Laptop missing from Russells Hall Hospital (UK)
January, 2008 - Stolen Bolton Hospitals Laptop affects cancer patients
January, 2008 - Queen Mary's Sidcup Hospital microfiche film goes missing
January, 2008 - Stockport Primary Care Trust flash drive goes missing
January, 2008 - Oldham Primary Care Trust NHS loses two data sticks
January, 2008 - Highly sensitive medical information found in the road
December, 2007 - Laptop stolen in Royal Bolton Hospital break-in
September, 2007 - Dudley Group of Hospitals NHS Patient Data For Sale on eBay

]]> Tue, 27 May 2008 09:14:16 +0000 tape health centre sandown health centre data verification data verification company back-up tape computer tape information personal information Sandown Health Centre backup tape is missing <![CDATA[Stolen NHS flash drive contained adolescent information]]> http://securityratty.com/article/77471a2acba37c8287ae843ab0dbf717 http://securityratty.com/article/77471a2acba37c8287ae843ab0dbf717 Security Breach

Date Reported:
3/5/08

Organization:
NHS Trust

Contractor/Consultant/Branch:
Telford and Wrekin Primary Care Trust (PCT)
Madeley Health Centre

Victims:
Adolescent patients

Number Affected:
238

Types of Data:
Names, dates of birth, addresses, and clinical treatment details

Breach Description:
A laptop was stolen from a speech therapist at the Madeley Health Centre in Shropshire (UK).  According to officials the laptop has been secured, but a flash drive containing personal information belonging to child patients of the clinic is missing.

Reference URL:
Computerworld
BBC News
The Shropshire Star

Report Credit:
The Shropshire Star

Response:
From the online sources cited above:

A laptop containing personal details of more than 200 children has been stolen from a Shropshire medical center.

Telford and Wrekin Primary Care Trust (PCT) confirmed a laptop was stolen from the Madeley Health Centre, while one of its language therapists was running a clinic and had left the laptop in an adjacent room.

It has since been disconnected from the NHS network to ensure no access to data, but a memory stick with 238 patients' details is still missing.
[Evan] Information security professionals need to reduce the risk of exposure to the information, NOT the laptop.  The information must be secured wherever it resides.

These records include patient names, date of births, and addresses as well as the details of their speech and language therapy treatment.

Simon Conolly, Telford & Wrekin PCT chief executive said in a statement that the laptop had been fitted with encryption software to comply with the high NHS security standards.
[Evan] This is an excellent decision and practice by NHS, but if copying confidential information to flash drives is allowed without restriction then it doesn't do a whole lot of good in the end.  Sounds obvious, but the facts speak for themselves.

"The equipment was also fitted with sophisticated tracking equipment and the police were informed immediately."

The PCT said it informed patients of the breach as soon as the theft was reported, and the trust is undergoing a thorough investigation.
[Evan] In my opinion, another good call by officials.  Notifying victims sooner rather than later is good practice (as long as it doesn't hinder the investigation).

Conolly said: "All staff are given strict instructions about all aspects of security on patient records, for example not to leave laptops in cars. It is extremely unfortunate that the equipment has been stolen from the NHS clinic while the therapist was working there. A thorough internal investigation is being carried out and if there are lessons to be learnt from this incident, the PCT will be ensure that security measures are reinforced."
[Evan] How about some additional controls around removable media?  Or, if possible prohibit their use altogether with respect to confidential information.

Telford police spokeswoman Denise Wakefield said the theft of the Flybook laptop happened on February 27 at 4.50pm.

Anyone with information about the theft is asked to call police on 08457 444888.

Commentary:
I get tourqued when I read about breaches that affect children.  If what is being reported is actually the truth, then the risk to the children in minimized by the fact that there isn't a lot of potential for fraud.  I wonder if there was more information on the flash drive though.

Information security is a holistic discipline.  We strive to take into account all risks to unauthorized information disclosure, modification and destruction.  While encrypting laptops is recommended as part of an overall information security strategy, it is equally important to remember the goal of the information security program and protect the information in all locations and forms (i.e. CDs, flash drives, print outs, etc.). 

Past Breaches:
NHS:
February, 2008 - Laptop missing from Russells Hall Hospital (UK)
February, 2008 - Stolen Bolton Hospitals Laptop affects cancer patients
January, 2008 - Queen Mary's Sidcup Hospital microfiche film goes missing
January, 2008 - Stockport Primary Care Trust flash drive goes missing
January, 2008 - Oldham Primary Care Trust NHS loses two data sticks
January, 2008 - Medical information found in the road
December, 2007 - Laptop stolen from Royal Bolton Hospital NHS
September, 2007 - Dudley Group of Hospitals NHS hard drives for sale on eBay

]]> Thu, 06 Mar 2008 08:23:26 +0000 information personal information medical information information security confidential information information security strategy nhs information disclosure information security program Stolen NHS flash drive contained adolescent information <![CDATA[Laptop bought on eBay contained "highly confidential" Home Office disk]]> http://securityratty.com/article/542dae17dbc72823ffb04451ce5a44c0 http://securityratty.com/article/542dae17dbc72823ffb04451ce5a44c0 Security Breach

Date Reported:
2/28/07

Organization:
The Home Office (UK)*

*"The Home Office is the government department responsible for leading the national effort to protect the public from terrorism, crime and anti-social behaviour." - Source Home Office About Us page

Contractor/Consultant/Branch:
Leapfrog Computers

Victims:
N/A

Number Affected:
N/A

Types of Data:
Unknown - labeled "Home Office - highly confidential"

Breach Description:
A laptop reportedly purchased through eBay contained a CD marked "Home Office - highly confidential" under the keyboard and above the circuit board.  The purchaser brought the computer to Leapfrog Computers in Westhoughton (UK) for repair where the technician discovered the encrypted compact disc.

Reference URL:
The Bolton Evening News
BBC News
Associated Press
Leapfrog Computers online statement

Report Credit:
Lee Bevan, Leapfrog Computers, brought to the attention of The Breach Blog by an informed reader

Response:
From the online sources cited above:

A highly confidential Home Office disk was found hidden in a laptop computer sold on eBay.

The CD was found between the keyboard and circuit board of the laptop by computer repair technicians
[Evan] Obviously the CD was put under the laptop on purpose.  But why and by whom?

Technicians at the shop called police who sent around anti-terrorist officers to confiscate the machine

The Home Office said investigations were under way into the incident.

The laptop had been taken into the Leapfrog Computers store by a customer who bought it on the internet auction site.

When engineers took off the keyboard they found a CD marked "Home Office - highly confidential".

Managing director Lee Bevan said: "I thought it was a spoof at first - I just figured someone was having a joke."

Mr Bevan put the disk into the drive to check it and found it was encrypted.
[Evan] I understand how curiosity can drive someone to put the disk in the drive to find out what is/was on it, but I wouldn't suggest doing this if it's marked "Home Office - highly confidential".  Thankfully the disk was encrypted because this could have been a different story for Mr. Bevan had it not been.

Founder and managing director Lee Bevan contacted police, who spent three hours interviewing him.

Officers from Greater Manchester Police took the laptop and disk away but have now concluded their investigation

The Home Office — the government body responsible for maintaining law and order and fighting terrorism — confirmed the disc was genuine and said it was investigating the incident.

A Home Office spokesman said: "Both the laptop and the disk were encrypted, thus safeguarding any information that might be stored on them.

"Investigations are now under way. It would be inappropriate to comment further while they are ongoing."

Staff at Leapfrog are being finger-printed and having DNA swabs to rule them out of the investigation.
[Evan] Think the Home Office is taking this seriously?  Uh, yeah I would say so.

Mr Bevan, aged 36, said: "The disc had been put inside the laptop on purpose. As soon as we found it, we contacted the police, who came immediately.

"I'm just glad it's turned up here rather than landing in the wrong hands.

"I don't know where the disc has come from. I have never seen a disc stored in this way before."

Commentary:
This is very interesting and mysterious.  How did the disk get there, who put it there, and for what purpose?  I wonder if the disk was put under the laptop keyboard in order to get it out of a building or other secure facility without being noticed.  Some high security organizations will actually check baggage and drives for the existence of disks, thumb drives and other mobile media. 

Q.  What could have made this much worse?
A.  If the data on the disk is/was actually "highly confidential", the disk was not encrypted, and someone with bad intentions found it.  Encryption is a very good thing, but only as good as the key management process that goes along with it.  For instance, full disk encryption can easily be defeated on a laptop with a Post-It note that says "Username: john.doe, Password: G3tMy!-Key".  Get what I am saying?

Past Breaches:
Unknown

]]> Thu, 28 Feb 2008 13:10:38 +0000 home office disk laptop source home office home office spokesman director lee bevan lee bevan highly confidential leapfrog computers Laptop bought on eBay contained "highly confidential" Home Office disk <![CDATA[Laptop missing from Russells Hall Hospital (UK)]]> http://securityratty.com/article/4a6172db8a71f63b3eb40c6f7757d0d5 http://securityratty.com/article/4a6172db8a71f63b3eb40c6f7757d0d5 Security Breach

Date Reported:
2/13/08

Organization:
NHS Trust

Contractor/Consultant/Branch:
The Dudley Group of Hospitals 
Outpatient Department at Russells Hall Hospital

Victims:
anticoagulation patients*

*people who suffer from blood-thinning problems

Number Affected:
5,123

Types of Data:
"medical records"

Breach Description:
A laptop was stolen from the Outpatient Department of Russells Hall Hospital in Dudley, West Midlands, on January 8.  The laptop contained sensitive medical records and personal information belonging to people who suffer from blood-thinning problems.

Reference URL:
The Dudley Group of Hospitals statement to the press
The story on The Independent online 

Report Credit:
The Dudley Group of Hospitals

Response:
From the online sources cited above:

A laptop computer was stolen whilst an anticoagulation clinic was being held in the Outpatient Department at Russells Hall Hospital on 8 January 2008.

The laptop held a database that had limited clinical records of 5,123 anticoagulation patients on it.

The database is password/login protected and a separate Trust login and password is required to operate the laptop. Accessing patient information will therefore be difficult.
[Evan] I would not say that accessing the information would be difficult.

Clearly this is a serious issue.
[Evan] Clearly!

We take precautions to try to protect all the I.T. equipment in our hospitals from theft, but given that this is a public building with thousands of people accessing it every day, there are inevitably practical difficulties around security.
[Evan] This is one of the reasons why information security has a concept called "defense in depth".  Higher physical security risk environments require mitigating controls such as encryption, alarms, increased surveillance, physical cable locks, etc.

Our security team work very hard to ensure the safety of our staff, patients and visitors, but it is very difficult to mitigate against all deliberate acts of theft.

To help alleviate any concerns and answer any questions that might arise, staff in the clinic have been talking to the patients about the theft and giving them an explanatory letter which gives them information about the database and explains that the data is not easily accessible.

Letters have also been sent to patients’ home addresses so as to ensure that every patient affected has been notified as soon as possible.

We have no evidence that the patient information on the stolen laptop has been accessed.

The Trust takes its responsibility for data protection and security very seriously and in 2007 commissioned the roll out of new data encryption software.
[Evan] Amen!

The deployment has now begun and the data encryption software is being loaded onto all Trust owned laptops.
[Evan] The word I keyed in on immediately was "all".

We are also taking steps to implement a series of other actions:

The data encryption software will also be loaded onto all mobile devices which includes Trust PDA’s and memory sticks.
[Evan] Excellent, and again the word "all".

In-line with Department of Health guidelines, we are conducting an in-depth review of the transfer of patient data.

The Trust has instructed an independent consultant to conduct a penetration audit of the Trust’s network, which will look in detail at the security infrastructure in place to ensure that systems cannot be hacked into.

All old PCs, laptops and PDA’s are wiped using a degausser before they are disposed of.
[Evan] Another excellent idea.  Remember the University of Glamorgan study?  The Dudley Group of Hospital is stepping it up, and patients will benefit.

We would like to apologise for any concern this matter has caused those patients affected, and would like to reassure them that the information on the database is unlikely to be recoverable.

The recent £135,000 investment in additional data security together with these actions provides us with the best assurance that the data we hold relating to our patients is safe at all times.

Commentary:
After reporting numerous information security breaches involving the NHS Trust, it is refreshing to read that they are making changes for the better.  I think I have written enough about them, and would prefer not to write anymore.

Past Breaches:
NHS:
February, 2008 - Stolen Bolton Hospitals Laptop affects cancer patients
January, 2008 - Queen Mary's Sidcup Hospital microfiche film goes missing
January, 2008 - Stockport Primary Care Trust flash drive goes missing
January, 2008 - Oldham Primary Care Trust NHS loses two data sticks
January, 2008 - Medical information found in the road
December, 2007 - Laptop stolen from Royal Bolton Hospital NHS
September, 2007 - Dudley Group of Hospitals NHS hard drives for sale on eBay


]]> Fri, 15 Feb 2008 11:08:13 +0000 information personal information medical information data data protection information security data encryption software russells hall hospital hospital Laptop missing from Russells Hall Hospital (UK) <![CDATA[Stolen Bolton Hospitals Laptop affects cancer patients]]> http://securityratty.com/article/6689c351ad5bf82f1930c68e60ea7c2c http://securityratty.com/article/6689c351ad5bf82f1930c68e60ea7c2c Security Breach

Date Reported:
1/30/08

Organization:
NHS Trust

Contractor/Consultant/Branch:
Royal Bolton Hospitals

Victims:
"gynaecology cancer patients from Bolton, Wigan and Salford"

Number Affected:
200

Types of Data:
"names, addresses, information, their diagnosis and treatment and clinical correspondence between medical staff"

Breach Description:
A laptop computer containing sensitive personal information belonging to gynaecology cancer patients from Bolton, Wigan and Salford (UK) was stolen from the office of a radiology consultant in October 2007, but only recently came to light.

Reference URL:
The Bolton News online story

Report Credit:
Jane Lavender, The Bolton News with a special thanks to an informed UK Breach Blog reader

Response:
From the online source cited above:

A COMPUTER containing the personal details of cancer patients has been stolen from the Royal Bolton Hospital.

Thieves struck in October - but hospital bosses only made details of the incident public yesterday.
[Evan] I hope that the "hospital bosses" notified the victims much sooner!

"There is no evidence at all that whoever took the computers took them for the data. These machines were valuable, portable objects. The theft of computer equipment plagues this organisation and many others." - Ann Schenk, director of service development at the hospital
[Evan] These statements are meant to minimize the situation.  I understand what Ann is saying, but I don't agree with its purpose.

The computer containing the cancer patients' details was stolen when thieves broke into the office of a consultant radiologist during the night.

The computer contained the details of 200 gynaecology cancer patients from Bolton, Wigan and Salford.

Information included patients' names, addresses, information, their diagnosis and treatment and clinical correspondence between medical staff.

Hospital bosses contacted all patients to inform them of the theft, but insist all information is data- protected and cannot be accessed by anyone other than the relevant hospital staff.
[Evan] Baloney!  If the information was not encrypted (with good key management), then the data can absolutely be accessed by anyone.

From next month, all information will be stored on a central server - a secure storage network - rather than on individual hard drives. All new laptops will also have controlled encryption software to make sure no-one but hospital staff can access them.
[Evan] Nice.  It only took a few lost/stolen laptops/computers before Bolton Hospitals got it.  Some organizations never get it.  Better late than never.

More than 300 laptops which have been already issued to staff are being recalled over the next three months so the encryption software can be installed.

Encryption software for memory sticks and pen drives will be installed on all equipment by the end of February and managers have been asked to carry out risk assessments on all computers and laptops.

Staff have also been told not to transfer any data until the encryption software has been installed.
[Evan] All good.  Bolton Hospitals is taking the protection of confidential information very seriously.  Kudos to Bolton Hospitals.

Heather Edwards, head of communication at the Royal Bolton Hospital, said: "While we believe the risk of anyone using any of the information is extremely small, we felt patients had the right to know what had happened.

"I'd like to repeat our apologies that such an event happened and reassure people that the hospital is taking this very seriously.

"We fully understand the anxiety the theft of data can cause and we have stepped up security of premises, as well as investing around £200,000 in additional IT security."
[Evan] The amount of money could equate to how serious Bolton Hospitals is about information security.  Let's hope that the money is well spent in the right places.  So far, things sound promising.

Commentary:
Bolton Hospitals and NHS Trust in general have been fodder for much information security discussion over the past few months.  Although it took more potential victims before Bolton Hospital got the hint, at least they got the hint.  I am impressed with Bolton Hospitals' response to THIS breach.  I am hopeful that more organizations will take heed (at least more NHS Trust organizations).

Past Breaches:
NHS:
January, 2008 - Queen Mary's Sidcup Hospital microfiche film goes missing
January, 2008 - Stockport Primary Care Trust flash drive goes missing
January, 2008 - Oldham Primary Care Trust NHS loses two data sticks
January, 2008 - Medical information found in the road
December, 2007 - Laptop stolen from Royal Bolton Hospital NHS
September, 2007 - Dudley Group of Hospitals NHS hard drives for sale on eBay

]]> Mon, 04 Feb 2008 07:47:22 +0000 royal bolton hospital bolton hospital bolton hospitals hospital relevant hospital staff hospital staff patients bolton medical information Stolen Bolton Hospitals Laptop affects cancer patients <![CDATA[Queen Mary's Sidcup Hospital microfiche film goes missing]]> http://securityratty.com/article/72b612bcaa16a8d0e8389d59760b1aea http://securityratty.com/article/72b612bcaa16a8d0e8389d59760b1aea Security Breach

Date Reported:
1/16/08

Organization:
Queen Mary's Sidcup NHS Trust

Contractor/Consultant/Branch:
None

Victims:
Employees of Queen Mary's Hospital from 1974 through 1996

Number Affected:
"thousands"

Types of Data:
"may include names, addresses, National Insurance numbers, bank details and job titles"

Breach Description:
Confidential personal information belonging to workers employed by Queen Mary's Hospital from 1974 to 1996 is reported missing after a microfiche film containing the information turned up missing from a secure room at the hospital.  Along with the missing film was the machine used to read it.

Reference URL:
The News Shopper online story
BBC News story

Report Credit:
Linda Piper, News Shopper

Response:
From the online sources cited above:

PERSONAL information about thousands of workers at Queen Mary's Hospital, Sidcup, has gone missing.

The information, which may include names, addresses, National Insurance numbers, bank details and job titles, disappeared while being held in a secure room at the Frognal Avenue hospital.

The data, all contained on microfiche film, was due to be moved to another secure site within the hospital when it was discovered the film, and a microfiche reader, were missing.

Acting chief executive Lorraine Knight says the information related to staff working at the hospital between 1974 and 1996 and was due to be destroyed.

Some of the film had been recovered, but most of it was still missing.

some of it was payroll information, but there were also a number of leavers' forms
[Evan] I had no idea what a "leaver's form" was.  I had to look it up.  For the U.S. readers that don't know, a leaver is exactly what the word implies, a person who "leaves".  Makes sense.

It is not known whether the film was stolen or has just been lost.
[Evan] According to the next excerpt, the hospital conducted two internal investigations and still could not find the film.

The discovery was made at the beginning of October and since then the hospital says it has conducted two internal investigations, which have failed to turn up the missing film, or any clue to its whereabouts.
[Evan] Was this two (up to 3) months to conduct an investigation into a missing microfiche, before notifying the persons affected?  If so, that seems too long.  I can understand (not agree with, but understand) the missing microfiche film because they are small, but isn't a microfiche reader typically bulky (like the one below)?  There is no mention if the reader was found.



Bexley police have been informed

there is no evidence the room where the records had been stored had been broken into

police have advised the hospital it is unlikely the information has fallen into the wrong hands.
[Evan] If the information is not in the hands of the owner or the custodian, then woes hands is it in?

Queen Mary's says it has now set up new policies and rules for storing, retaining and disposing of data.
[Evan] Excellent.  Hopefully they are well-written.

There will also be extra training for staff who handle confidential information.
[Evan] Excellent again!  The next step after writing (with executive sponsorship) policy and procedure is to train the people affected.

A helpline has been set up for present and former staff whose personal details may be on the films and will be open Monday to Friday from 10am to 3pm on 020 8309 0247

The hospital is also writing to staff, who are advised to check their bank accounts and inform both their bank and the police if there have been any suspicious transactions

Commentary:
It's not very often anymore that microfiche containing sensitive personal information is reported lost or stolen.  I wonder what happened to all of those microfiche films and readers that I used in the library growing up.  I just called my county library, and they don't have them anymore.  The lady at the library seemed a little taken aback by the question.

No matter how confidential information is stored; paper, electronic, or on microfiche, it still requires the same level of protection.  In this case, the hospital was storing the films in a "secured" room when they went missing.  The definition of "secured" obviously varies from person to person, but at the end of the day the information is still missing.  I was pleased to read that the hospital has written new policies to address data storage and disposal and even more pleased to read that they were training their staff.

Past Breaches:
NHS:
January, 2008 - Stockport Primary Care Trust flash drive goes missing
January, 2008 - Oldham Primary Care Trust NHS loses two data sticks
January, 2008 - Medical information found in the road
December, 2007 - Laptop stolen from Royal Bolton Hospital NHS
September, 2007 - Dudley Group of Hospitals NHS hard drives for sale on eBay

]]> Tue, 22 Jan 2008 09:22:25 +0000 confidential personal information personal information sensitive personal information microfiche film microfiche film hospital information medical information Queen Mary's Sidcup Hospital microfiche film goes missing <![CDATA[Stockport Primary Care Trust flash drive goes missing]]> http://securityratty.com/article/aae1837c4452fc4ccf93ae7d1330768b http://securityratty.com/article/aae1837c4452fc4ccf93ae7d1330768b Security Breach

Date Reported:
1/18/08

Organization:
Stockport Primary Care Trust NHS

Contractor/Consultant/Branch:
None

Victims:
Patients

Number Affected:
4,000

Types of Data:
"NHS number, Specific Stockport PCT identification number, First and second name, Date of Birth, Sex, Condition (if condition was chronic obstructive pulmonary disease, asthma, heart failure, coronary heart disease, diabetes or epilepsy), GP code and practice code and GP Name"

Breach Description:
A staff member working for the Stockport Primary Care Trust lost a flash drive sometime between parking her car and arriving at her desk in December, 2007.  The flash drive was on a lanyard around her neck when it was lost and it contained senstive personal information belonging to patients of the trust.

Reference URL:
Stockport Primary Care Trust NHS Press Release dated 1/18/08
Manchester Evening News Story
ComputerWeekly News Story

Report Credit:
Amanda Crook, Manchester Evening News
brought to the attention of The Breach Blog by an informed reader.

Response:
From the online sources cited above:

In early December 2007 a member of staff of Stockport PCT lost a USB drive containing limited information on approximately 4000 patients. This happened between parking the car and arriving at her desk. The drive was on a clip on a lanyard around the neck and somehow came free and was lost.

Health bosses decided not to tell patients about the loss because they believe the data could not be used in an identity fraud.
[Evan] Whether or not the information could be directly used for identity fraud should be irrelevant to the decision to notify patients.  This is personal information that belongs to the patients, not Stockport PCT.

The USB drive (memory stick) included a file which contained the following details:

NHS number, Specific Stockport PCT identification number, First and second name, Date of Birth, Sex, Condition (if condition was chronic obstructive pulmonary disease, asthma, heart failure, coronary heart disease, diabetes or epilepsy), GP code and practice code and GP Name

Immediate steps were taken to search for the drive by retracing the path of the staff member but the drive has not been found.

The loss was an accident rather than any systematic failing in management and governance.
[Evan] I strongly disagree with this statement made by Stockport PCT.  This IS a failure of information security management and governance!  The storage of sensitive information on portable media without additional controls such as encryption must be prohibited.  This is accomplished through policy, training and awareness, standards and procedures, and technical controls.  The fact that this statement is made by Stockport PCT demonstrates a fundamental mis-understanding on information security roles and responsibilities.

Indeed the security of the information had been considered and the data was being carried personally to avoid being sent by e-mail.
[Evan] So the sensitivity of the information was taken into account, and still not secured adequately.  There are FREE programs and utilities available to encrypt files, folders and entire drives.  It would have added an additional 15 minutes to download the program, install it, and use it.  I'm guessing that the aftermath has taken considerably longer in terms of time spent in response.  Some flash drives even come with encryption built-in!

The PCT has taken further steps to emphasise to staff the importance of vigilance in carrying/sending personalised data.

The loss of the data has had no adverse impact on the services provided by Stockport PCT and GPs. The data loss was reported centrally at the time of the loss and again on the recent NHS wide audit of data losses.

‘I want to apologise personally for any inconvenience and distress this may have caused patients. Clearly the recent events concerning loss of personal data have raised the awareness and importance of this matter. I want to assure patients that I believe there is no possibility of any “identity theft” as a result of this loss, and let you know that steps have been taken to ensure this never happens again.’, Richard Popplewell, Chief Executive
[Evan] I do give credit to Mr. Popplewell for issuing a statement.  I have said this before, but I will say it again.  When a Chief Executive speaks on information security matters, it shows that they recognize that the information security "buck" stops with them.

An information line has been set up to deal with patient enquiries and concerns. The number is 0161 426 5678.  You can contact the information line between 10am and 2m on Saturday 19th January and 9am and 5pm between 21st and 25th of January. After this date please call 0161 426 5014 (this will be an answerphone and somebody will call you back).

Commentary:
Does the UK have an equivalent to the U.S. HIPAA?  I am not well-versed in UK data security laws, so I don't know.

Using flash drives without additional controls to carry confidential information is very risky business.

Past Breaches:
January, 2008 - Oldham Primary Care Trust NHS loses two data sticks
January, 2008 - Medical information found in the road
December, 2007 - Laptop stolen from Royal Bolton Hospital NHS
September, 2007 - Dudley Group of Hospitals NHS hard drives for sale on eBay

]]> Mon, 21 Jan 2008 06:44:46 +0000 senstive personal information personal information information medical information information security matters information security information security management information line management Stockport Primary Care Trust flash drive goes missing <![CDATA[Oldham Primary Care Trust NHS loses two data sticks]]> http://securityratty.com/article/1fa6887ba7491f504446d387e63807fc http://securityratty.com/article/1fa6887ba7491f504446d387e63807fc Security Breach

Date Reported:
1/11/08

Organization:
Oldham Primary Care Trust NHS (PCT)

Contractor/Consultant/Branch:
None

Victims:
PCT "clients"

Number Affected:
148

Types of Data:
"The information lost related to copies of assessments about future healthcare needs held in a secure central file. It included people’s names, addresses and dates of birth."*

*I'm not sure if this means that copies of assessments AND names, addresses and dates of birth OR just names, addresses and dates of birth.

Breach Description:
The Oldham Primary Care Trust NHS has issued a press release announcing the loss of two "data sticks" containing personal information belonging to clients that had contact with the organization's continuing care service.  A total of 148 clients were affected by the breach.

Reference URL:
The Oldham Primary Care Trust NHS Press Release
Manchester Evening News Story

Report Credit:
Oldham Primary Care Trust NHS

Response:
From the online sources cited above:

A breach of information security has taken place. Two data sticks containing information relating to 148 clients who have been in contact with the PCT’s continuing care service have been reported missing.

This should never have happened.
[Evan] Got that right.

All the individuals affected have been identified. Our first priority has been to try to contact all 148 individuals, or their representatives, personally. We have made personal contact with 145, and offered to visit them. We are waiting for three to get back to us after several attempts to contact them.

We have followed up the contacts in writing with our sincere apologies, and have set up a
dedicated freephone information line for those who may have further questions.

The information lost related to copies of assessments about future healthcare needs held in a secure central file. It included people’s names, addresses and dates of birth. It did not contain financial information.
[Evan] It's a little unclear to me what this means exactly.

There is no risk at all to anyone’s future care.

A formal internal investigation has been launched.

The PCT takes patient confidentiality extremely seriously and has taken immediate action to prevent any further similar incidents.  All data sticks containing ‘personal’ information have been recalled, and a full and thorough review of current processes and procedures is now underway.

Gail Richards, Oldham PCT chief executive, said: “We are deeply sorry – this should never have happened. We have launched a full and thorough investigation, and are reviewing our current policies relating to data storage.
[Evan] It's always a good sign when a "chief executive" comments on security.  I have said this before, but it shows that they understand their information security role and that the buck stops with them.

“While we believe the data sticks have been lost, we have reported the incident to the police in order to get the best advice possible. We have no reason at all to believe the information has been accessed by anyone else.”

To make sure this cannot happen again, the PCT:
  • Is undertaking a full audit of how removable media is used across the PCT
  • Has recalled all data sticks and pen drives which contain ‘personal’ data
  • Nearly completed recalling all data sticks and pen drives in order to reissue encrypted devices to staff alongside a new procedure for their use
  • Has reminded all staff formally of existing policies and procedures
  • Is urgently developing updated guidance for staff around information security
[Evan] These steps will go a long way towards preventing an similar occurrence.  This is sound information security judgment, in my opinion.

Anyone with concerns should contact the PCT’s information line on freephone 0800 144 4304.  The line is open from 8.30am8pm MonFri and 10am4pm SatSun.

Commentary:
Overall, this has to be one of the best responses I have seen in some time from an organization that experienced a breach of personal information.  The response is open, thorough and honest.  After reading the press release, I am clear about what happened and what Oldham Primary Care Trust ("PCT") plans to do about it.  Too many times, organizations attempt to keep a breach under wraps.  PCT prominently displays the information on their web site home page.



The breach happens.  The organization comes to terms with the fact that a breach occurred.  The organization reaches out to everyone affected with an honest explanation and sincere apology.  The organization issues a press release to announce what took place and what it intends to do about it.  The organization saves face and keeps a certain amount of trust in the process.  I am impressed with how PCT has responded to this breach.

Past Breaches:
January, 2008 - Medical information found in the road
December, 2007 - Laptop stolen from Royal Bolton Hospital NHS
September, 2007 - Dudley Group of Hospitals NHS hard drives for sale on eBay

]]> Fri, 11 Jan 2008 14:15:40 +0000 information information lost personal information financial information medical information information security data freephone information line data sticks Oldham Primary Care Trust NHS loses two data sticks <![CDATA[Highly sensitive medical information found in the road]]> http://securityratty.com/article/313f8e65843ffcd54721b341f5389860 http://securityratty.com/article/313f8e65843ffcd54721b341f5389860 Security Breach

Date Reported:
1/10/08

Organization:
Kingston Hospital NHS Trust

Contractor/Consultant/Branch:
None

Victims:
Patients

Number Affected:
Unknown*

*A total of 173 documents were discovered

Types of Data:
"private medical details" including HIV, cancer, sexual disease, and hepatitis test results and information on people attending conception and addiction clinics.

Breach Description:
On Friday January 4th, 2008 a motorbike bag was discovered in the street near the Kingston Hospital.  The bag held hundreds of documents containing sensitive medical information belonging to a variety of patients.

Reference URL:
BBC News Story
The Hastings Observer Story

Report Credit:
BBC News

Response:
From the online sources cited above:

Hundreds of documents containing HIV and cancer test results have been found on a street in south-west London.

The 173 private medical documents, which were discovered in a motorbike bag near Kingston Hospital last Friday, were handed over to a local newspaper.
[Evan] I'm a little concerned with whether or not the local newspaper is the correct place to go with the sensitive information.

A Kingston Hospital spokeswoman said test results were only recognisable by a unique number but said all patients would receive written apologies.
[Evan] This mitigates the risk.  Hopefully only authorized personnel understand the number to patient name correlation.

Many of the documents which have been sent to Queen Mary's Hospital in Roehampton and the Roehampton Clinic, also included information on those attending conception and addiction clinics, as well as sexual disease and hepatitis test results.

"We take the loss of any patient information very seriously, and all the patients involved will be written to personally offering sincere apologies,"

the hospital could not explain how or when the data protection breach occurred

Commentary:
A motorbike bag full of sensitive medical information is found in the street and nobody knows how it got there?  I have more questions about this breach than I do answers.  This breach could have been very damaging to the victims if anyone were able to tie the "unique number" back to a patient name.  You don't suppose that the "unique number" is the National insurance number?

Using unique identifiers other than National Insurance (UK) or Social Security (US) numbers adds some protection in this case.

Past Breaches:
December, 2007 - Laptop stolen from Royal Bolton Hospital NHS
September, 2007 - Dudley Group of Hospitals NHS hard drives for sale on eBay

]]> Thu, 10 Jan 2008 11:11:36 +0000 sensitive medical information information kingston hospital hospital test results hepatitis test results data protection breach breach kingston hospital spokeswoman Highly sensitive medical information found in the road