Forgot your password?
typodupeerror
Security Government Medicine Privacy United Kingdom

NHS Fined After Computer Holding Patient Records Found On eBay 186

Posted by timothy
from the all-these-billing-addresses-are-identical dept.
judgecorp writes "NHS Surrey, part of Britain's health service, has been fined £200,000 when a computer holding more than 3000 patient records was found for sale on eBay. The system was retired, and given to a contractor who promised to dispose of it securely for free, in exchange for any salvage value... but clearly just put the whole system up for sale."
This discussion has been archived. No new comments can be posted.

NHS Fined After Computer Holding Patient Records Found On eBay

Comments Filter:
  • How does... (Score:3, Insightful)

    by Anonymous Coward on Sunday July 14, 2013 @04:27AM (#44275533)

    The government fine itself?

    • Ever heard of separation of powers?

      • by TheCarp (96830)

        Yup, I have heard of that BS excuse to not need to impose jail time for people in government. It clearly doesn't work and needs to be rethought for that purpose.

        Frankly, government corruption and incompetence is the only category of crime I support the death penalty for. Even a serial killer can only have so many victims. Maybe we can learn something from them over time...but... government employees? No, their org keeps on going, examples need to be made of them, they can hurt hundreds of thousands of peopl

        • by Shavano (2541114)

          Yup, I have heard of that BS excuse to not need to impose jail time for people in government. It clearly doesn't work and needs to be rethought for that purpose.

          Frankly, government corruption and incompetence is the only category of crime I support the death penalty for. Even a serial killer can only have so many victims. Maybe we can learn something from them over time...but... government employees? No, their org keeps on going, examples need to be made of them, they can hurt hundreds of thousands of people with a simple missstep like this. They need to be held to a higher standard than anyone else.

          If a few people swung when this sort of fuckup came about so many people are put in harms way, I have no problem with publicly hanging the people involved.

          It would set a perfect precedent for once people realize what damage other polices have done.

          That would make it pretty hard to hire people with skills.

    • by DNS-and-BIND (461968) on Sunday July 14, 2013 @05:11AM (#44275723) Homepage
      Q: Why is starting a comment in the Subject: line incredibly irritating?
    • Re:How does... (Score:5, Insightful)

      by Joce640k (829181) on Sunday July 14, 2013 @05:12AM (#44275725) Homepage

      They shouldn't be fining themselves, they should be jailing the person responsible for handing them to the "unnamed contractor" (who was probably a friend).

      • Re:How does... (Score:5, Insightful)

        by hairyfeet (841228) <.bassbeast1968. .at. .gmail.com.> on Sunday July 14, 2013 @05:53AM (#44275867) Journal

        Actually as a PC repair guy who often does this very thing I say they should throw the contractor in jail, he is making us all look bad.

        I've done plenty of work for the city in the past and they know any donations they give to me will be wiped clean so they have no problem handing me desktops and laptops that are being replaced. Is there any records on them? probably but I wouldn't know as the first thing they get is a boot 'n nuke from me, the ONLY thing I don't wipe is the factory restore partition if it has one, everything else? Wiped before I ever mess with the system.

        So I'm all for throwing this asshole in jail because its jerks like this that end up causing systems to be disposed of via shotgun. In a dead economy there is plenty of folks hurting out there and these off-lease systems can be used to make sure anybody can have a PC, hell thanks to donations from the city I have a complete desktop system for $50 at the shop. Sure its not the fastest thing in the world but it surfs, burns DVDs, and when somebody needs a PC so their kid can look up info for school reports and they can look for a second job? A system like that can really make a difference. This is why I fricking HATE when assholes like this do dumb shit like just throwing it on eBay, he could have boot n' nuked and been done in no time, throw the lazy ass in jail.

        And if you work in a position that has getting rid of older systems as part of your duties? Don't dispose of via shotgun, talk to the local shop guys, talk to the local churches, there is usually a guy like me that is happy to refurb 'em for the poor folks and unlike this douchebag we're happy to do secure wiping on anything you hand us. There is nothing like the feeling of making a difference, just last week I donated a couple of systems to one of the local churches so they could expand their computer classes, they do a lot of work with abused women and teaching them basic computer and office skills helps them get a job and not be dependent on some wife beating scumbag. I wouldn't have been able to hand those systems over if they hadn't been donated to me, so ask around, those old P4s and Athlons may be junkers to you but it could make a difference to somebody else.

        • by Joce640k (829181)

          How hard can it be for a government to make a CD stick which you insert in a PC which boots up and wipes the hard drive?

          They could insert one in every PC before they remove it from the person's desk. It would take about ten minutes. If they're doing a roomful of PCs (as they mostly do) then by the time you got around to putting the CD in the last machine, the first one would be finished.

          • 10 mins? Really. The last disk I decommissioned took 24 hours to shred (4 passes, the longest time being for the 2 random writes). OK that was a failing Seagate 2TiB drive but for sensitive data, more passes is standard.

            • by Joce640k (829181)

              Ok, let's agree it more than 10 minutes. Now can you address the actual point...?

              (I should have known better than to put an actual number on slashdot...)

            • by Joce640k (829181)

              ... for sensitive data, more passes is standard.

              Somebody needs to question that standard. There's no credible evidence that data can be recovered after writing a single pass of random data.

              Even if there was any evidence (and let's be clear, there isn't...), if anybody wants to spend that much money trying to recover data from machines bought randomly on eBay they should be encouraged to do so. The sooner they go bankrupt, the better.

              • by sjames (1099)

                For that matter, simple zeroing is quite sufficient for data that is merely confidential (though government standards may insist on more). Nobody is going to buy a machine off of ebay and scan the disk platters with a force microscope.

                Most of the concerns are based on outdated information relevant to much older MFM drives where the recording density was much lower and tracking errors much larger.

              • by hairyfeet (841228)
                As a guy that has been doing this since the Shat sold Vics on TV I can tell you where that old wives tale came from and why it no longer applies. the very first drives used either RFM or MFM coding (been awhile) and the drives weren't very precise so it could slip a track and miss data, hence the multiwipe. that hasn't been true in 20 years though, with grooves so tiny and motors so precise no way a drive that isn't already dying is gonna miss a track,no way.
            • I have to deal with this a great deal with systems being passed from company to company or releasing hardware between departments inside a company.

              The "scrub" utility, built into most Linux distributions and available on the Knoppix CD and DVD images, works very well. The time taken really depends on the level of scrubbing. The "nnsa" and "dod" standard scrub options do take many hours, because they use patterns like all zeros, all ones, 10101010, 01010101, and then randomized data of various sorts. That's

            • by hairyfeet (841228)

              Dude you are buying into old wive's tales, you haven't needed to do more than a single zero pass in like 15 years. Hell there is a guy offering something like 10 grand if you can recover anything from a drive he does a zero pass on and so far not a single taker, not even the recovery companies. You see friend in the bad old days the RFM drives could easily slip the track, that would leave data behind, hence the multipass, but with modern drives that just can't happen anymore, the grooves are too tight and t

          • How hard can it be for a government to make a CD stick which you insert in a PC which boots up and wipes the hard drive?

            http://killdisk.com/downloadfree.htm [killdisk.com]

            unbelievably easy

            • There is commercial software available and certified by the government for destruction of sensitive data and "confidential" classified data.

              The use of free software is not an approved method of data destruction for bulk personal data in the UK, and its use could technically lead to legal problems. In practice, if it was used correctly, then no one would ever know.

              The problem is that the legal onus is on the person in possession of the data to provide documentary proof that the data has been destroyed in an

              • by TheCarp (96830)

                Yup, exactly, and that is exactly why my own company has a specific policy on the decommissioning of....hard drives. We don't toss servers out whole, we pull the damned drives, then who gives a fuck what you do with the chassis? I mean, of course we have a policy on how that is handled too, but its the hard drive one that matters.

                For that matter.... should so many medical records have been on an unencrypted volume? Shit, store the encryption key backups centrally and put the key on a USB stick. Separate sti

          • by _Shad0w_ (127912)

            Secure data destruction involves a very large shredder which just turns the disks in to scrap metal. There's even video of it being done to the HDDs that were holding the ID card database before it was scrapped.

            • by Joce640k (829181)

              But as pointed out this is unnecessary and those PCs/disks could benefit a lot of needy people. Securely re-imaging a hard disk isn't difficult.

          • by Shikaku (1129753)

            http://www.dban.org/ [dban.org]

            Such a project already exists.

        • by jamesh (87723)

          Actually as a PC repair guy who often does this very thing I say they should throw the contractor in jail, he is making us all look bad.

          Making you look bad is not a criminal offense. You'd need to take it up in a civil court, and they don't throw people in jail.

          • by sjames (1099)

            No, but it is a motive for him to want to see criminal offenses prosecuted.

            • by julesh (229690)

              No, but it is a motive for him to want to see criminal offenses prosecuted.

              But as nobody has suggested a criminal offence of which the contractor may be guilty, it hardly seems relevant.

        • Re:How does... (Score:5, Insightful)

          by beltsbear (2489652) on Sunday July 14, 2013 @07:09AM (#44276145)

          Agreed. I used to do the same, take in free donated systems and wipe them with dban or other zero writing software. It was easy and ensured the buyer got a clean system. The main reason why people destroy perfectly good machines out instead of giving them to someone like me (or charity) is fear of the type of behavior shown.

          And for god sakes, you do not need to DESTROY the hard drive. Zero writing is fine for anything not containing national security level secrets.

        • While I agree it is the contractors fault. However when you deal with a contractor you better be sure your contract has him to do what they say they will do. The contractor will probably do more what is in the contract however if failure to not do more that is in the contract could have a negative effect it should be protected.
          Such as delete your drives beforehand, or make sure the contract has him do this work, and perhaps a measure stating he will do what he says he does.

          • perhaps a measure stating he will do what he says he does.

            The contract should include a clause stating that the contractor must abide by the contract? Should it perhaps include another clause stating that the contractor must abide by the clause stating that the contractor must abide by the contract?

        • Actually as a PC repair guy who often does this very thing I say they should throw the contractor in jail, he is making us all look bad.

          I've done plenty of work for the city in the past and they know any donations they give to me will be wiped clean so they have no problem handing me desktops and laptops that are being replaced. Is there any records on them? probably but I wouldn't know as the first thing they get is a boot 'n nuke from me, the ONLY thing I don't wipe is the factory restore partition if it has one, everything else? Wiped before I ever mess with the system.

          So I'm all for throwing this asshole in jail because its jerks like this that end up causing systems to be disposed of via shotgun. In a dead economy there is plenty of folks hurting out there and these off-lease systems can be used to make sure anybody can have a PC, hell thanks to donations from the city I have a complete desktop system for $50 at the shop. Sure its not the fastest thing in the world but it surfs, burns DVDs, and when somebody needs a PC so their kid can look up info for school reports and they can look for a second job? A system like that can really make a difference. This is why I fricking HATE when assholes like this do dumb shit like just throwing it on eBay, he could have boot n' nuked and been done in no time, throw the lazy ass in jail.

          And if you work in a position that has getting rid of older systems as part of your duties? Don't dispose of via shotgun, talk to the local shop guys, talk to the local churches, there is usually a guy like me that is happy to refurb 'em for the poor folks and unlike this douchebag we're happy to do secure wiping on anything you hand us. There is nothing like the feeling of making a difference, just last week I donated a couple of systems to one of the local churches so they could expand their computer classes, they do a lot of work with abused women and teaching them basic computer and office skills helps them get a job and not be dependent on some wife beating scumbag. I wouldn't have been able to hand those systems over if they hadn't been donated to me, so ask around, those old P4s and Athlons may be junkers to you but it could make a difference to somebody else.

          It depends. It's easy enough to blame the contractor but there are factors that have to be taken into account.

          Is there a written security policy that states that the drives have to be wiped (and with what method or methods)?
          Was the contractor presented with said policy and asked to sign each page to indicate that they've seen it?
          Was it written into the contract with the contractor that they read and will follow said security policy?

          Yes the contractor (if there was one - I didn't read TFA) fucked up but th

        • Indeed, even if the hard drive contains state secrets could they just keep the hard drive but give you everything else? The donor can decide if to destroy or how they want the data erased (hopefully they can be convinced to just scrub it a whole lot and then give it to you anyway).

          Much less wastage that way, eBay has 80GB velociraptors going for $20-30 bucks (yes I know this is overkill), will increase the price of your $50 PC to $80 but I think that's still reasonable.

          As a side note to all of this, wouldn'

      • by greenbird (859670)

        They shouldn't be fining themselves, they should be jailing the person responsible for handing them to the "unnamed contractor"

        They should be firing the idiots that aren't encrypting their drives.

        I'm amazed no one is addressing the obvious. The simple solution is encrypted drives. Encryption eliminates this issue along with protecting against a whole host of other problems.

    • by 3seas (184403)

      Raises taxes?

    • Re:How does... (Score:4, Informative)

      by jellomizer (103300) on Sunday July 14, 2013 @07:05AM (#44276123)

      Simple, there are a bunch of ministries, departments, and divisions and other units all with a degree of autonomy, their own budgets, and other stuff.

      When you ask nearly any government employee of where do they work. They will not say I work for the Government. They will say I work in the Department of whatever...
      So if you fine a government agency the money leaves their budget and goes away from their department and to an other area. Leaving that department with less money budgeted towards what they need to do. As well it would effect their influence of getting additional funding for the next year.

      • by Rich0 (548339)

        So if you fine a government agency the money leaves their budget and goes away from their department and to an other area. Leaving that department with less money budgeted towards what they need to do. As well it would effect their influence of getting additional funding for the next year.

        Great, so the NHS has less money to spend on making patients healthier, and so patient health suffers.

        Trust me - the money won't come out of office furnishings or donuts for the doctors.

        If money is being misspent the solution is to correctly spend it - not just to cut off the supply. When people make bad decisions you need to punish the people, not the organization.

    • Re: (Score:3, Informative)

      by Kat M. (2602097)

      First, the Information Commissioner's Office is an independent body, subject to supervision by the courts, not any ministry. It cannot and does not care (modulo human error) whether the responsible entity was a public or private body, except where the law distinguishes between them.

      Second, an NHS trust (which NHS Surrey is) is technically not part of the government, but a public sector corporation with separate auditing requirements and separate liability. Another example is that NHS trusts are also vicario

    • by Shavano (2541114)
      Reduce agency budget.
  • The NHS fine should be doubled for stupidity.
    • by malkavian (9512)

      Bear in mind that most NHS places barely fund an IT department, let alone one that'll support the costs of encryption to every disk on every machine in a trust.
      General policy is usually that you don't save patient identifiable information to a non-server disk. And when you hire a contractor to do a job, you expect it to be done. The fault here isn't with the NHS, it's with a contractor who's supposed to be vetted as secure, offering a service, and then doing something completely stupid.
      Would be great if e

      • Having been involved in these sorts of contracts (in the USA) I can tell you that your excuse is bullshit. I've pointed out some rather glaring evidence that contractors were likely not fulfilling their end of the contracts in the past... for example, per a contract data was supposed to be encrypted at rest. However, I could connect to it via ODBC and download plain text passwords. If your passwords are stored in plain text, it's hard to believe any of the rest of the data is protected any better.

        Anyway, re

  • I wonder (Score:5, Funny)

    by Davo Batty (2855025) on Sunday July 14, 2013 @04:37AM (#44275573)
    If prism will be selling their old computers too?
    • It is possible that they might, but since the data they process is Top Secret, the hard drives will be destroyed, and probably the ram as well.

      • by gl4ss (559668)

        It is possible that they might, but since the data they process is Top Secret, the hard drives will be destroyed, and probably the ram as well.

        well sure, if their contractors aren't cheapening out...
        or if anyone knows what the box going to the dumpster is.

  • It does not matter if a contract was not signed, there was still an agreement. All that signing a contract means is that the agreement is provable and, hopefully, responsibilities clearly defined. Here: there does not seem to be a dispute as to who should have deleted the data (destroyed the disks), it is the contractor they should pay every penny of the fine.

    All of the above written without knowing exactly what was agreed!

  • FTFA:
    We should not have to tell organisations to think twice, before outsourcing vital services to companies who offer to work for free.

    Relevant Dilbert [dilbert.com]

  • well duh, obviously this was the highest salvage value they could arrange.

  • Fines.. (Score:5, Insightful)

    by Bert64 (520050) <(bert) (at) (slashdot.firenzee.com)> on Sunday July 14, 2013 @05:00AM (#44275663) Homepage

    Fining the NHS is pointless, it only harms the NHS itself... Those responsible don't care because its not their money.
    They should fine the contractor instead, as it was his laziness/incompetence that caused this.

    • Re:Fines.. (Score:4, Insightful)

      by Fjandr (66656) on Sunday July 14, 2013 @05:02AM (#44275681) Homepage Journal

      While there was negligence on both parts, I definitely agree that the contractor should be penalized for failure to perform the promised service.

    • by Joce640k (829181)

      If you read TFA you'll see there's no contract. The word "contractor" implies it but really they were just handed to a guy who crossed his heart and promised to do it before putting them on eBay.

      OTOH, you're right that the NHS shouldn't be fined. The person who handed over the computers (presumably to a friend of his) needs jailing.

    • by mpe (36238)
      Fining the NHS is pointless, it only harms the NHS itself...

      Fining any public body tends to be at best pointless, at worst counter productive. (Another common example of this kind of daftness is fining police forces when prosecution of police officers would be more appropriate.)

      Those responsible don't care because its not their money. They should fine the contractor instead, as it was his laziness/incompetence that caused this.

      The most obvious thing to do would be for NHS Surrey to sue the contractor
      • by N1AK (864906)
        Fining public bodies makes plenty of sense if they are remotely well run (a subject for another day). Whether it is appropriate or not would depend on things like if the organisation authorised or allowed the contractor to be given the pc or whether the employee took it without permission (in which case lets call a theft a theft). Was the data on the laptop stored sufficiently securely? Most UK government departments have policies, and sometimes are required, to encrypt discs. If it wasn't secured then mayb
    • Re:Fines.. (Score:4, Informative)

      by leathered (780018) on Sunday July 14, 2013 @06:31AM (#44276023)

      Look up Vicarious Liability, it's a tenet of Common Law.

      Too many MBAs believe that when you outsource, you are offloading responsibility. 'It was the contractor's fault, your honour' will not wash in any court of law.

      • by drinkypoo (153816)

        If the idea is to punish someone to try to correct the behavior, then fining the NHS is a fat fucking waste of time. Fining whoever hired the contractor personally might help. Fining the contractor should be mandatory when one is involved.

        • by leathered (780018)

          Agreed that the contractor is primarily responsible, and should be punished.

          However the NHS has a secondary (vicarious) liability and should also be punished for inadequate supervision of its contractors.

          FWIW I used to work for an NHS IT dept. The destruction/wiping of hard disks was tasked to the in-house team. Unlike contractors they're not motivated to take shortcuts for financial gain.

          • by Rich0 (548339)

            However the NHS has a secondary (vicarious) liability and should also be punished for inadequate supervision of its contractors.

            Just how do you "punish" an organization? The only reason the org has money is to accomplish some public service. Taking that money away just makes it less effective at whatever purpose it was created for. If it doesn't need the money, then the money should be taken away regardless of behavior.

            Punish the people who made the decisions, not the organization.

      • by Solandri (704621)
        The way it works is that you fine the entity responsible for the integrity of the data (NHS) for the data breach. Then the NHS sues the contractor for damages caused by their failure to provide promised services, for the amount of the fines plus whatever administrative costs were incurred.
    • by Faluzeer (583626)

      Hmm

      They should punish all involved in NHS Surrey. Hit them where it hurts, final warnings, no pay rises, no promotions, no pension contribution for the year.

    • by nukenerd (172703)

      Fining the NHS is pointless .... Those responsible don't care because its not their money. They should fine the contractor instead, as it was his laziness/incompetence that caused this.

      Wrong, I think you would find those responsible DO care and are feeling very embarrased about this. Nevertheless, the episode shows that they were incompetent and should simply be sacked. There are too many incapable people holding jobs they are not up to, and too many capable people unemployed.

      Apart from that, there is no way that the NHS should have been letting PC's off the premises with data on the drives, contract or no contract. If they had to employ a contractor, the work should have been done

    • by Livius (318358)

      They should fine the contractor instead

      Suing the contractor is hopefully NHS's next step.

  • by radio4fan (304271) on Sunday July 14, 2013 @05:16AM (#44275753)

    I don't really get this. The NHS contracts out the disposal of the machines to a private contractor, who then royally screws up, and it's the fault of the NHS?

    Surely the responsibility lies with the contractor?

    FTA:

    “Should they [the contractor] be accountable? Definitely not, because NHS Surrey have been entrusted with the welfare of their patients. Should the contractor be responsible? Absolutely, yes,” Jones added.

    This seems to me an argument that the NHS cannot outsource or subcontract anything.

    What is NHS Surrey supposed to do in this scenario? Use in-house people to analyse the machines to make sure there is no data remaining before disposing of them?

    Or just keep data-disposal services in-house? Personally, I think this would be a great idea, but it goes against the dogmatic 'privatise absolutely everything possible' trend in the UK.

    “We should not have to tell organisations to think twice, before outsourcing vital services to companies who offer to work for free.”

    Except they didn't work for free: they worked for the salvage value. I can't really see how the low value of the contract proves fault.

    • by gl4ss (559668)

      nhs shouldn't be giving them away out of their control in uncleaned condition. that much is simple.

      nhs can try to sue the contractor on contract breach still though. but if getting rid of responsibility was that easy there would be none.

    • by jimicus (737525)

      Not really. You can't discharge responsibility just by contracting someone else to do something; the principal is responsible for the actions of their contractor.

      Of course, the NHS could sue the contractor, assuming they had a contract that mentioned secure disposal.

  • by Murdoch5 (1563847)
    Your records aren't secure or private in the first place, no matter where you live or get health care. I've had 5+ sets of digital AND paper records just magically go missing from several hospitals. The doctors didn't get really care, they just re-ran the tests and in one case the re-run results also went missing. If you believe in an illusion of privacy and security with your countries health care system then you've been fooled.
  • How hard is it to wipe a machine? I've never been a fan of the wasteful practice of physically shredding hard drives. But a simple policy is that you physically take every drive out of the machine, hook it up to a master machine, and run a reliable drive wiping program. As for the reliability of these drive wiping programs, I have not only not heard of something slipping by them, there is one company that sells hard drives that have been wiped with only zeros and has a cash prize if you can restore the data
  • When are all these organizations going to learn that NO DATA should ever be on a mobile device? All access should be done through virtual desktops from secured, managed devices using strong authentication and mandatory access controls, period. This is not rocket science and the technology has been available for years. They only have themselves to blame.

1 Mole = 007 Secret Agents

Working...