<![CDATA[[SecurityRatty] tag: russells]]> http://securityratty.com/tag/russells Fri, 15 Feb 2008 11:08:13 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss <![CDATA[Castlecroft Medical Practice patient information at risk]]> http://securityratty.com/article/7d98e304d1a9c365580155e37aa7cb76 http://securityratty.com/article/7d98e304d1a9c365580155e37aa7cb76 Security Breach

Date Reported:
6/18/08

Organization:
NHS Trust

Contractor/Consultant/Branch:
Wolverhampton City Primary Care Trust
Castlecroft Medical Practice

Victims:
Patients

Number Affected:
~11,000

Types of Data:
"names, dates of birth, addresses, contact details and confidential medical records"

Breach Description:
"A laptop containing confidential medical records of all 11,000 Wolverhampton patients at a city surgery has been stolen from a GP’s house, police revealed today."

Reference URL:
The Press Association
The Express & Star

Report Credit:
The Press Association

Response:
From the online sources cited above:

A laptop containing confidential information about 11,000 patients has been stolen from a GP's home.
[Evan] This is now the 11th breach reported on The Breach Blog concerning NHS Trust and affiliated organizations.  What is the excuse?  Can the GP and/or Primary Care Trust and/or Medical Practice claim to not know the risks involved?

Contrary to Department of Health guidelines, the information was not encrypted, which would have made it unreadable without a special code to unscramble it.
[Evan] Are medical personnel aware of and required to follow the guidelines?  Are there penalties or sanctions for non-compliance?

The laptop was among items stolen in a recent burglary at the home of the unnamed doctor, who works at the Castlecroft Medical Practice in Wolverhampton.

The details of when and where the laptop was taken from are not being released, but a helpline has been launched for worried patients
[Evan] I could not find the helpline phone number; otherwise I would publish it for people.

The information on the computer, which belongs to the practice, included patients' names, dates of birth, addresses, contact details and confidential medical records.

The practice has written to all of its 11,000 patients to inform them that information about them was on the stolen computer.

Dr Peter Wagstaff, senior partner at the practice, said: "The practice is treating this issue very seriously and we are extremely sorry for any distress or concern that it may cause our patients. Though not encrypted, the confidential information on the laptop was protected by a complex password system, which only a person with specialist computer knowledge would be able to crack."
[Evan] If the organization were "treating this issue very seriously", and if it was "truly sorry" then why attempt to minimize the situation (risk) by using the password protection argument.  In my opinion (and that shared by many information security professionals), password protection is NOT an adequate preventative control to ensure the confidentiality of the information stored on a laptop computer.  This holds especially true in instances where the password protection is controlled by the operating system.  See: "Laptop stolen from a Quest Diagnostics employee" and "Not to worry: the stolen laptop was 'password-protected'".

He said the laptop appeared to have been stolen for its re-sale value, rather than for any information stored upon it.
[Evan] In my opinion, this is another attempt to minimize the situation and imply that the risk of confidential information disclosure is less than it may actually be.

Jon Crockett, chief executive of Wolverhampton City Primary Care Trust, said the trust was "extremely concerned" about the theft.

He said: "Patients and the public have the right to expect that those dealing with confidential information maintain the highest levels of security and we are carrying out a full and urgent investigation into this incident."
[Evan] Mr. Crockett makes a very valid point.

National guidance from the Department of Health is that any confidential information about patients must be stored in a safe and secure environment, and mobile devices - including laptops - which contain such data must be fully protected by encryption, he said.
[Evan] Again, Mr. Crockett seems to "get it".

Commentary:
The 11th breach for NHS Trust-affiliated organizations in less than 10 months and the fact that the cause of this one is so well publicized in other breaches does not instill much confidence.

The eleven breaches are only what has been reported on The Breach Blog, there may be more.

Past Breaches:
NHS Trust:
May, 2008 - Sandown Health Centre backup tape is missing
March, 2008 - Stolen NHS flash drive contained adolescent information
February, 2008 - Laptop missing from Russells Hall Hospital (UK)
January, 2008 - Stolen Bolton Hospitals Laptop affects cancer patients
January, 2008 - Queen Mary's Sidcup Hospital microfiche film goes missing
January, 2008 - Stockport Primary Care Trust flash drive goes missing
January, 2008 - Oldham Primary Care Trust NHS loses two data sticks
January, 2008 - Highly sensitive medical information found in the road
December, 2007 - Laptop stolen in Royal Bolton Hospital break-in
September, 2007 - Dudley Group of Hospitals NHS Patient Data For Sale on eBay

]]> Thu, 19 Jun 2008 07:54:50 +0000 information confidential information confidential information disclosure confidential information maintain practice castlecroft medical practice computer laptop computer adolescent information Castlecroft Medical Practice patient information at risk <![CDATA[Sandown Health Centre backup tape is missing]]> http://securityratty.com/article/930fdb89c35f1b9172d20874c9f9d1a1 http://securityratty.com/article/930fdb89c35f1b9172d20874c9f9d1a1 Security Breach

Date Reported:
5/19/08

Organization:
NHS Trust

Contractor/Consultant/Branch:
Isle of Wight NHS Primary Care Trust
Sandown Health Centre
City Link (the courier)

Victims:
Patients

Number Affected:
38,650

Types of Data:
Medical records

Breach Description:
"The Isle of Wight NHS Primary Care Trust and the Sandown Health Centre are taking action to reassure patients after a computer tape containing their personal details went missing."

Reference URL:
Isle of Wight NHS Primary Care Trust News
The Press Association
BBC News
eHealth Insider

Report Credit:
The Press Association

Response:
From the online sources cited above:

The Isle of Wight NHS Primary Care Trust and the Sandown Health Centre are taking action to reassure patients after a computer tape containing their personal details went missing.

The tape was sent in March to a London-based specialist GP software company who are responsible for maintaining their clinical software.

They carry out checks on computer back-up tapes to make sure they could be used effectively to restore information to the practice computer system in the event of a system failure or other emergency such as a fire.

Unfortunately, the tape has not been received back at the Health Centre, having been despatched by the company through a courier service in March.

Sent on 11 March, it took two months before the tape’s disappearance was discovered by INPS and the PCT.
[Evan] The amount of time that it took to notice that the tape was missing is cause for concern.

The tape was meant to be tracked at every stage by City Link to ensure it reached its destination - the courier firm admitted this had not happened and it is now investigating the loss.

A spokesperson said: "We are naturally very concerned by the loss of our customer’s consignment and a rigorous search for the parcel continues. We are doing everything in our power to resolve the matter and return the package as quickly as possible."

It is presumed that the tape has been lost, possibly permanently, although all possible efforts are being made to try and find it.

The tape contains medical records of 38,650 current and past patients of the Health Centre from July 1996 onwards.

It includes all current patients and large numbers of patients who registered on a temporary basis whilst visiting or working on the Island and patients who have since transferred to practices elsewhere.

It is standard practice for GPs to hold patient details for at least ten years after they are no longer registered with them.
[Evan] Some of the information on the tape dates back 12 years, but that is still in accordance with "at least ten years".

the risk of the tape being misused is extremely small

The tape requires specialist computer equipment to run it and the data is password protected.

In addition, highly advanced computer skills and/or access to a specialist programme only normally used by GPs and the data verification company are needed to make any sense of the information on the tape.
[Evan] According to the eHealth Insider story the tape was encrypted.  Is the "specialist programme"?  If this is the case, and presuming that good password management practices were followed, then I agree with the assessment that the risk of disclosure is probably small.

The PCT is working with the practice to contact as many patients as possible and is in the process of writing to those who are currently still registered with the practice.

a dedicated telephone helpline has been set up and can be contacted on 0845 602 6834 between 8am and 8pm from Monday to Friday

The Interim Chief Executive of the PCT, Margaret Pratt, said:  "Although there is very little chance of anyone being able to do anything untoward with this tape, should they find it, it is potentially a very serious loss of confidential information.

"It is important that everyone concerned continues to do everything possible to try and locate the tape and that is happening.  It is equally important that we provide reassurance to patients over the level of risk that their personal information could be misused and I am confident that risk is extremely small."

"I should stress that neither the Health Centre nor the NHS more widely on the Island are in any way responsible for this tape going missing.  However, we will, of course, be reviewing the procedures used for data verification by practices to see if there are lessons to learn."

Dr Peter Randall, Senior Partner at the Sandown Health Centre, added:  "We have another copy of the back-up tape and our main computer records system is not affected by this. So we still have access to all the information we need and patient care is not compromised in any way."

"My own view is also that the risk of any harm resulting is minimal.  My own family are registered as patients at this practice which means their details are amongst those on the tape.  I have no worries about the information falling into the wrong hands and being used improperly."

The incident comes five months after NHS chief executive David Nicholson wrote to all NHS trust chief executives telling them to review and tighten their information governance and data transfer arrangements.
[Evan] Unfortunately, it took a number of breaches before Mr. Nicholson issued his directive.  Better late than never.  He should be commended in regards to the directive.  My hope is that the NHS follows good information security governance practices and continually strives to improve their information security program(s).

Commentary:
There was no mention (unless I missed it) of encryption in the official Isle of Wight NHS news announcement.  The encryption mention comes in the eHealth Insider report.  It is also not clear what "medical records" entails exactly.

Past Breaches:
NHS Trust:
March, 2008 - Stolen NHS flash drive contained adolescent information
February, 2008 - Laptop missing from Russells Hall Hospital (UK)
January, 2008 - Stolen Bolton Hospitals Laptop affects cancer patients
January, 2008 - Queen Mary's Sidcup Hospital microfiche film goes missing
January, 2008 - Stockport Primary Care Trust flash drive goes missing
January, 2008 - Oldham Primary Care Trust NHS loses two data sticks
January, 2008 - Highly sensitive medical information found in the road
December, 2007 - Laptop stolen in Royal Bolton Hospital break-in
September, 2007 - Dudley Group of Hospitals NHS Patient Data For Sale on eBay

]]> Tue, 27 May 2008 09:14:16 +0000 tape health centre sandown health centre data verification data verification company back-up tape computer tape information personal information Sandown Health Centre backup tape is missing <![CDATA[Stolen NHS flash drive contained adolescent information]]> http://securityratty.com/article/77471a2acba37c8287ae843ab0dbf717 http://securityratty.com/article/77471a2acba37c8287ae843ab0dbf717 Security Breach

Date Reported:
3/5/08

Organization:
NHS Trust

Contractor/Consultant/Branch:
Telford and Wrekin Primary Care Trust (PCT)
Madeley Health Centre

Victims:
Adolescent patients

Number Affected:
238

Types of Data:
Names, dates of birth, addresses, and clinical treatment details

Breach Description:
A laptop was stolen from a speech therapist at the Madeley Health Centre in Shropshire (UK).  According to officials the laptop has been secured, but a flash drive containing personal information belonging to child patients of the clinic is missing.

Reference URL:
Computerworld
BBC News
The Shropshire Star

Report Credit:
The Shropshire Star

Response:
From the online sources cited above:

A laptop containing personal details of more than 200 children has been stolen from a Shropshire medical center.

Telford and Wrekin Primary Care Trust (PCT) confirmed a laptop was stolen from the Madeley Health Centre, while one of its language therapists was running a clinic and had left the laptop in an adjacent room.

It has since been disconnected from the NHS network to ensure no access to data, but a memory stick with 238 patients' details is still missing.
[Evan] Information security professionals need to reduce the risk of exposure to the information, NOT the laptop.  The information must be secured wherever it resides.

These records include patient names, date of births, and addresses as well as the details of their speech and language therapy treatment.

Simon Conolly, Telford & Wrekin PCT chief executive said in a statement that the laptop had been fitted with encryption software to comply with the high NHS security standards.
[Evan] This is an excellent decision and practice by NHS, but if copying confidential information to flash drives is allowed without restriction then it doesn't do a whole lot of good in the end.  Sounds obvious, but the facts speak for themselves.

"The equipment was also fitted with sophisticated tracking equipment and the police were informed immediately."

The PCT said it informed patients of the breach as soon as the theft was reported, and the trust is undergoing a thorough investigation.
[Evan] In my opinion, another good call by officials.  Notifying victims sooner rather than later is good practice (as long as it doesn't hinder the investigation).

Conolly said: "All staff are given strict instructions about all aspects of security on patient records, for example not to leave laptops in cars. It is extremely unfortunate that the equipment has been stolen from the NHS clinic while the therapist was working there. A thorough internal investigation is being carried out and if there are lessons to be learnt from this incident, the PCT will be ensure that security measures are reinforced."
[Evan] How about some additional controls around removable media?  Or, if possible prohibit their use altogether with respect to confidential information.

Telford police spokeswoman Denise Wakefield said the theft of the Flybook laptop happened on February 27 at 4.50pm.

Anyone with information about the theft is asked to call police on 08457 444888.

Commentary:
I get tourqued when I read about breaches that affect children.  If what is being reported is actually the truth, then the risk to the children in minimized by the fact that there isn't a lot of potential for fraud.  I wonder if there was more information on the flash drive though.

Information security is a holistic discipline.  We strive to take into account all risks to unauthorized information disclosure, modification and destruction.  While encrypting laptops is recommended as part of an overall information security strategy, it is equally important to remember the goal of the information security program and protect the information in all locations and forms (i.e. CDs, flash drives, print outs, etc.). 

Past Breaches:
NHS:
February, 2008 - Laptop missing from Russells Hall Hospital (UK)
February, 2008 - Stolen Bolton Hospitals Laptop affects cancer patients
January, 2008 - Queen Mary's Sidcup Hospital microfiche film goes missing
January, 2008 - Stockport Primary Care Trust flash drive goes missing
January, 2008 - Oldham Primary Care Trust NHS loses two data sticks
January, 2008 - Medical information found in the road
December, 2007 - Laptop stolen from Royal Bolton Hospital NHS
September, 2007 - Dudley Group of Hospitals NHS hard drives for sale on eBay

]]> Thu, 06 Mar 2008 08:23:26 +0000 information personal information medical information information security confidential information information security strategy nhs information disclosure information security program Stolen NHS flash drive contained adolescent information <![CDATA[Laptop missing from Russells Hall Hospital (UK)]]> http://securityratty.com/article/4a6172db8a71f63b3eb40c6f7757d0d5 http://securityratty.com/article/4a6172db8a71f63b3eb40c6f7757d0d5 Security Breach

Date Reported:
2/13/08

Organization:
NHS Trust

Contractor/Consultant/Branch:
The Dudley Group of Hospitals 
Outpatient Department at Russells Hall Hospital

Victims:
anticoagulation patients*

*people who suffer from blood-thinning problems

Number Affected:
5,123

Types of Data:
"medical records"

Breach Description:
A laptop was stolen from the Outpatient Department of Russells Hall Hospital in Dudley, West Midlands, on January 8.  The laptop contained sensitive medical records and personal information belonging to people who suffer from blood-thinning problems.

Reference URL:
The Dudley Group of Hospitals statement to the press
The story on The Independent online 

Report Credit:
The Dudley Group of Hospitals

Response:
From the online sources cited above:

A laptop computer was stolen whilst an anticoagulation clinic was being held in the Outpatient Department at Russells Hall Hospital on 8 January 2008.

The laptop held a database that had limited clinical records of 5,123 anticoagulation patients on it.

The database is password/login protected and a separate Trust login and password is required to operate the laptop. Accessing patient information will therefore be difficult.
[Evan] I would not say that accessing the information would be difficult.

Clearly this is a serious issue.
[Evan] Clearly!

We take precautions to try to protect all the I.T. equipment in our hospitals from theft, but given that this is a public building with thousands of people accessing it every day, there are inevitably practical difficulties around security.
[Evan] This is one of the reasons why information security has a concept called "defense in depth".  Higher physical security risk environments require mitigating controls such as encryption, alarms, increased surveillance, physical cable locks, etc.

Our security team work very hard to ensure the safety of our staff, patients and visitors, but it is very difficult to mitigate against all deliberate acts of theft.

To help alleviate any concerns and answer any questions that might arise, staff in the clinic have been talking to the patients about the theft and giving them an explanatory letter which gives them information about the database and explains that the data is not easily accessible.

Letters have also been sent to patients’ home addresses so as to ensure that every patient affected has been notified as soon as possible.

We have no evidence that the patient information on the stolen laptop has been accessed.

The Trust takes its responsibility for data protection and security very seriously and in 2007 commissioned the roll out of new data encryption software.
[Evan] Amen!

The deployment has now begun and the data encryption software is being loaded onto all Trust owned laptops.
[Evan] The word I keyed in on immediately was "all".

We are also taking steps to implement a series of other actions:

The data encryption software will also be loaded onto all mobile devices which includes Trust PDA’s and memory sticks.
[Evan] Excellent, and again the word "all".

In-line with Department of Health guidelines, we are conducting an in-depth review of the transfer of patient data.

The Trust has instructed an independent consultant to conduct a penetration audit of the Trust’s network, which will look in detail at the security infrastructure in place to ensure that systems cannot be hacked into.

All old PCs, laptops and PDA’s are wiped using a degausser before they are disposed of.
[Evan] Another excellent idea.  Remember the University of Glamorgan study?  The Dudley Group of Hospital is stepping it up, and patients will benefit.

We would like to apologise for any concern this matter has caused those patients affected, and would like to reassure them that the information on the database is unlikely to be recoverable.

The recent £135,000 investment in additional data security together with these actions provides us with the best assurance that the data we hold relating to our patients is safe at all times.

Commentary:
After reporting numerous information security breaches involving the NHS Trust, it is refreshing to read that they are making changes for the better.  I think I have written enough about them, and would prefer not to write anymore.

Past Breaches:
NHS:
February, 2008 - Stolen Bolton Hospitals Laptop affects cancer patients
January, 2008 - Queen Mary's Sidcup Hospital microfiche film goes missing
January, 2008 - Stockport Primary Care Trust flash drive goes missing
January, 2008 - Oldham Primary Care Trust NHS loses two data sticks
January, 2008 - Medical information found in the road
December, 2007 - Laptop stolen from Royal Bolton Hospital NHS
September, 2007 - Dudley Group of Hospitals NHS hard drives for sale on eBay


]]> Fri, 15 Feb 2008 11:08:13 +0000 information personal information medical information data data protection information security data encryption software russells hall hospital hospital Laptop missing from Russells Hall Hospital (UK)