http://securityratty.com/tag/sandown Tue, 27 May 2008 09:14:16 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/7d98e304d1a9c365580155e37aa7cb76 http://securityratty.com/article/7d98e304d1a9c365580155e37aa7cb76 Security Breach

Date Reported:
6/18/08

Organization:
NHS Trust

Contractor/Consultant/Branch:
Wolverhampton City Primary Care Trust
Castlecroft Medical Practice

Victims:
Patients

Number Affected:
~11,000

Types of Data:
"names, dates of birth, addresses, contact details and confidential medical records"

Breach Description:
"A laptop containing confidential medical records of all 11,000 Wolverhampton patients at a city surgery has been stolen from a GP’s house, police revealed today."

Reference URL:
The Press Association
The Express & Star

Report Credit:
The Press Association

Response:
From the online sources cited above:

A laptop containing confidential information about 11,000 patients has been stolen from a GP's home.
[Evan] This is now the 11th breach reported on The Breach Blog concerning NHS Trust and affiliated organizations.  What is the excuse?  Can the GP and/or Primary Care Trust and/or Medical Practice claim to not know the risks involved?

Contrary to Department of Health guidelines, the information was not encrypted, which would have made it unreadable without a special code to unscramble it.
[Evan] Are medical personnel aware of and required to follow the guidelines?  Are there penalties or sanctions for non-compliance?

The laptop was among items stolen in a recent burglary at the home of the unnamed doctor, who works at the Castlecroft Medical Practice in Wolverhampton.

The details of when and where the laptop was taken from are not being released, but a helpline has been launched for worried patients
[Evan] I could not find the helpline phone number; otherwise I would publish it for people.

The information on the computer, which belongs to the practice, included patients' names, dates of birth, addresses, contact details and confidential medical records.

The practice has written to all of its 11,000 patients to inform them that information about them was on the stolen computer.

Dr Peter Wagstaff, senior partner at the practice, said: "The practice is treating this issue very seriously and we are extremely sorry for any distress or concern that it may cause our patients. Though not encrypted, the confidential information on the laptop was protected by a complex password system, which only a person with specialist computer knowledge would be able to crack."
[Evan] If the organization were "treating this issue very seriously", and if it was "truly sorry" then why attempt to minimize the situation (risk) by using the password protection argument.  In my opinion (and that shared by many information security professionals), password protection is NOT an adequate preventative control to ensure the confidentiality of the information stored on a laptop computer.  This holds especially true in instances where the password protection is controlled by the operating system.  See: "Laptop stolen from a Quest Diagnostics employee" and "Not to worry: the stolen laptop was 'password-protected'".

He said the laptop appeared to have been stolen for its re-sale value, rather than for any information stored upon it.
[Evan] In my opinion, this is another attempt to minimize the situation and imply that the risk of confidential information disclosure is less than it may actually be.

Jon Crockett, chief executive of Wolverhampton City Primary Care Trust, said the trust was "extremely concerned" about the theft.

He said: "Patients and the public have the right to expect that those dealing with confidential information maintain the highest levels of security and we are carrying out a full and urgent investigation into this incident."
[Evan] Mr. Crockett makes a very valid point.

National guidance from the Department of Health is that any confidential information about patients must be stored in a safe and secure environment, and mobile devices - including laptops - which contain such data must be fully protected by encryption, he said.
[Evan] Again, Mr. Crockett seems to "get it".

Commentary:
The 11th breach for NHS Trust-affiliated organizations in less than 10 months and the fact that the cause of this one is so well publicized in other breaches does not instill much confidence.

The eleven breaches are only what has been reported on The Breach Blog, there may be more.

Past Breaches:
NHS Trust:
May, 2008 - Sandown Health Centre backup tape is missing
March, 2008 - Stolen NHS flash drive contained adolescent information
February, 2008 - Laptop missing from Russells Hall Hospital (UK)
January, 2008 - Stolen Bolton Hospitals Laptop affects cancer patients
January, 2008 - Queen Mary's Sidcup Hospital microfiche film goes missing
January, 2008 - Stockport Primary Care Trust flash drive goes missing
January, 2008 - Oldham Primary Care Trust NHS loses two data sticks
January, 2008 - Highly sensitive medical information found in the road
December, 2007 - Laptop stolen in Royal Bolton Hospital break-in
September, 2007 - Dudley Group of Hospitals NHS Patient Data For Sale on eBay

]]> Thu, 19 Jun 2008 07:54:50 +0000 information confidential information confidential information disclosure confidential information maintain practice castlecroft medical practice computer laptop computer adolescent information Castlecroft Medical Practice patient information at risk http://securityratty.com/article/930fdb89c35f1b9172d20874c9f9d1a1 http://securityratty.com/article/930fdb89c35f1b9172d20874c9f9d1a1 Security Breach

Date Reported:
5/19/08

Organization:
NHS Trust

Contractor/Consultant/Branch:
Isle of Wight NHS Primary Care Trust
Sandown Health Centre
City Link (the courier)

Victims:
Patients

Number Affected:
38,650

Types of Data:
Medical records

Breach Description:
"The Isle of Wight NHS Primary Care Trust and the Sandown Health Centre are taking action to reassure patients after a computer tape containing their personal details went missing."

Reference URL:
Isle of Wight NHS Primary Care Trust News
The Press Association
BBC News
eHealth Insider

Report Credit:
The Press Association

Response:
From the online sources cited above:

The Isle of Wight NHS Primary Care Trust and the Sandown Health Centre are taking action to reassure patients after a computer tape containing their personal details went missing.

The tape was sent in March to a London-based specialist GP software company who are responsible for maintaining their clinical software.

They carry out checks on computer back-up tapes to make sure they could be used effectively to restore information to the practice computer system in the event of a system failure or other emergency such as a fire.

Unfortunately, the tape has not been received back at the Health Centre, having been despatched by the company through a courier service in March.

Sent on 11 March, it took two months before the tape’s disappearance was discovered by INPS and the PCT.
[Evan] The amount of time that it took to notice that the tape was missing is cause for concern.

The tape was meant to be tracked at every stage by City Link to ensure it reached its destination - the courier firm admitted this had not happened and it is now investigating the loss.

A spokesperson said: "We are naturally very concerned by the loss of our customer’s consignment and a rigorous search for the parcel continues. We are doing everything in our power to resolve the matter and return the package as quickly as possible."

It is presumed that the tape has been lost, possibly permanently, although all possible efforts are being made to try and find it.

The tape contains medical records of 38,650 current and past patients of the Health Centre from July 1996 onwards.

It includes all current patients and large numbers of patients who registered on a temporary basis whilst visiting or working on the Island and patients who have since transferred to practices elsewhere.

It is standard practice for GPs to hold patient details for at least ten years after they are no longer registered with them.
[Evan] Some of the information on the tape dates back 12 years, but that is still in accordance with "at least ten years".

the risk of the tape being misused is extremely small

The tape requires specialist computer equipment to run it and the data is password protected.

In addition, highly advanced computer skills and/or access to a specialist programme only normally used by GPs and the data verification company are needed to make any sense of the information on the tape.
[Evan] According to the eHealth Insider story the tape was encrypted.  Is the "specialist programme"?  If this is the case, and presuming that good password management practices were followed, then I agree with the assessment that the risk of disclosure is probably small.

The PCT is working with the practice to contact as many patients as possible and is in the process of writing to those who are currently still registered with the practice.

a dedicated telephone helpline has been set up and can be contacted on 0845 602 6834 between 8am and 8pm from Monday to Friday

The Interim Chief Executive of the PCT, Margaret Pratt, said:  "Although there is very little chance of anyone being able to do anything untoward with this tape, should they find it, it is potentially a very serious loss of confidential information.

"It is important that everyone concerned continues to do everything possible to try and locate the tape and that is happening.  It is equally important that we provide reassurance to patients over the level of risk that their personal information could be misused and I am confident that risk is extremely small."

"I should stress that neither the Health Centre nor the NHS more widely on the Island are in any way responsible for this tape going missing.  However, we will, of course, be reviewing the procedures used for data verification by practices to see if there are lessons to learn."

Dr Peter Randall, Senior Partner at the Sandown Health Centre, added:  "We have another copy of the back-up tape and our main computer records system is not affected by this. So we still have access to all the information we need and patient care is not compromised in any way."

"My own view is also that the risk of any harm resulting is minimal.  My own family are registered as patients at this practice which means their details are amongst those on the tape.  I have no worries about the information falling into the wrong hands and being used improperly."

The incident comes five months after NHS chief executive David Nicholson wrote to all NHS trust chief executives telling them to review and tighten their information governance and data transfer arrangements.
[Evan] Unfortunately, it took a number of breaches before Mr. Nicholson issued his directive.  Better late than never.  He should be commended in regards to the directive.  My hope is that the NHS follows good information security governance practices and continually strives to improve their information security program(s).

Commentary:
There was no mention (unless I missed it) of encryption in the official Isle of Wight NHS news announcement.  The encryption mention comes in the eHealth Insider report.  It is also not clear what "medical records" entails exactly.

Past Breaches:
NHS Trust:
March, 2008 - Stolen NHS flash drive contained adolescent information
February, 2008 - Laptop missing from Russells Hall Hospital (UK)
January, 2008 - Stolen Bolton Hospitals Laptop affects cancer patients
January, 2008 - Queen Mary's Sidcup Hospital microfiche film goes missing
January, 2008 - Stockport Primary Care Trust flash drive goes missing
January, 2008 - Oldham Primary Care Trust NHS loses two data sticks
January, 2008 - Highly sensitive medical information found in the road
December, 2007 - Laptop stolen in Royal Bolton Hospital break-in
September, 2007 - Dudley Group of Hospitals NHS Patient Data For Sale on eBay

]]> Tue, 27 May 2008 09:14:16 +0000 tape health centre sandown health centre data verification data verification company back-up tape computer tape information personal information Sandown Health Centre backup tape is missing