Tag Archives: NHS

NHS Website Sent Users to Malware Site

The NHS is at the centre of another controversy as their website has been redirecting thousands of people to pages that contained malware or advertising.

The problem was first experienced during the weekend where users inevitably took to social media sites to express their anger and views about the situation.

A user, who goes by the name Muzzers on Reddit, stated that he came across the problem when searching for flu shot information.

Muzzers stated, “So while attempting to access flu shot information I stumbled upon a page which redirected me to an advertisement. Digging a bit deeper I found hundreds more pages which redirect to either an advertisement or malware infested page.”

In total, it is believed that the problem affected over 800 pages but the site administrators have been keen to stress that the problem wasn’t caused by hackers but by a typo by a developer.

A spokeswoman for the Health and Social Care Information Centre (HSCIC) which runs the NHS website told the Guardian, “Last year, a developer accidentally put “translate.googleaspis.com” rather than “translate.googleapis.com” as the source for the JavaScript file. Last night someone in the Czech Republic took ownership of the incorrectly spelt domain it was referring to; the correctly spelled one is actually owned by Google. Although the typo existed in NHS Choices code, until the point the domain name was purchased, this was not causing any issues.”

The vast majority if not all of the affected links have now been corrected but it remains unclear just what impact this has had as there is the potential threat that personal data has been compromised.

Internet security expert Graham Cluey finds the explanation baffling and if it is true, then anybody who inadvertently downloaded the malware could be at risk.

Cluey stated, “I’m surprised by that explanation… what often happens is that a hacker will find a weak point and inject a piece of code to exploit it and set up a domain name. Otherwise whoever registered the domain name in the Czech Republic must have scanned the code, which few do, or registered numerous websites in the hope of getting lucky.”

A spokeswoman for the HSCIC claimed that they will ensure that no reoccurrence of this will ever happen again.

She stated, “NHS Choices is treating this issue with urgency and once resolved we plan to undertake a thorough and detailed analysis to ensure that a full code review is undertaken and steps put in place to ensure no reoccurrence.”

It today’s world, it is now imperative that all data is protected by a robust backup solution to ensure that it can be recovered. Users need to also ensure that they protect their machines by ensuring that they have the latest security updates installed and working properly.

Scottish Health Boards Suffer 806 Data Breaches in Last Five Years

The Scottish Health Boards have suffered from 806 data breaches between 2009 and 2013. This involves a range of different data breaches from data loss and data leaks to breaches of the Data Protection Act

The figures were obtained and revealed by the Scottish Liberal Democrats through the Freedom of Information requests. What is more concerning is that the total number of data breaches increased from 86 incidents in 2009 to 223 in 2013.

With such a high number of data breaches, there is invariably a wide range of different types of data breaches which makes it much harder for the Scottish Government to implement regulations and to ensure that they are all being adhered to.

Such incidents that have resulted in a data breach within the last five years include documents being sent to the wrong addresses and being left in public places such as in car parks and on public transport. One such incident occurred in NHS Greater Glasgow and Clyde in July 2013 when a folder was fond by a member of the public at a bus stop which contained information relating to 60 patients. The folder was handed in at a nearby hospital.

Such statistics is a cause for concern, especially with the drastic increase of data breach incidents within a five year period. As a result, the Scottish Lib Dems have appealed for the Scottish Government to ensure that the Scottish Health Boards are given adequate support to ensure that confidential data remains secure.

Jim Hume who is a Scottish Lib Dem health spokesman stated, “NHS staff work extremely hard under an enormous amount of pressure but there must be a vigilant approach when it comes to protecting confidential patient information. The Health Secretary must ensure that NHS boards are given the support needed to learn lessons and prevent further breaches of patient confidentiality. We have no choice but to trust the people looking after our families to look after their personal details too.”

Hume added, “Whilst the year-on-year rise in incidents may be due to an increase in reporting, this should make health boards all the more aware of the scale of the problem. In one instance, a patient was given the pregnancy record of another patient. Our figures also show a number of important patient records and notes were lost. Some of those that were found had been left in public places where anyone could have read that private information.”

Hume concluded, “A mistake here or there might not seem much but the bigger picture is one of patient information being lost across Scotland. The Health Secretary must explain what he is doing to address this.”

The Scottish Government has responded and stated that they are already taking action to help reduce the number of data breaches within the Scottish Health Boards.

A spokesman stated, “We take patient confidentiality and security of patient information very seriously and believe any data breach is unacceptable. All health boards are required to have robust procedures in place to secure patient information and staff should be given ongoing training in data protection.”

The spokesman added, “All mobile devices holding any patient data are now encrypted so, even if a laptop is stolen, patient information cannot be accessed; boards are installing a new tool to pinpoint staff who are accessing information they are not entitled to see; and health boards are rapidly moving from paper files to encrypted devices.”

The spokesman concluded by stating, “In the interests of greater transparency and to make data breach statistics easier to interpret, the Scottish Government plans to introduce a severity scale and national reporting mechanisms in line with recommendations made by Dame Fiona Caldicott. This should also lead to more clarity on data breaches and other security matters.”

With such cases, it is very hard to pinpoint why there have been so many data breach cases. It will take time for the Scottish Government’s actions to start making an impact and to see how much they have helped to reduce the number of data breaches.

It is all good and well introducing policies and regulations but the staff need to be educated about data security. This will help them understand the importance of following the regulations and minimise the number if simple mistakes that are made.

Another NHS Trust Fined After Patient and Staff Files Left Behind

The Information Commissioner’s Office (ICO) have fined the Belfast Health and Social Care Trust a staggering £225,000 after it was revealed that 115,000 patient and staff files were left behind after the hospital closed in 2006.

In total, there were 100,000 patient records and 15,000 staff files that were left behind. These records and files had been left on the floor, in cabinets or on shelves which obviously shows that there was a total disregard towards the security of this confidential data when it came to moving the files and records to a secure location.

The negligence towards the security of such confidential files is the main reason for the ICO imposing such a significant fine. The ICO stated, “The Trust failed to take appropriate action to keep the information secure, leaving sensitive information at a hospital site that was clearly no longer fit for purpose. The people involved would also have suffered additional distress as a result of the posting of this data on the internet.”

The ICO have also confirmed that all files and records have now been removed from the site and have been appropriately destroyed or filed away in an appropriate secure place.

The Belfast Health and Social Care Trust were given the responsibility to look after the 26 acre site which contains 40 separate buildings in 2007 when six separate Trusts merged into one overall Trust. When the Belfast Health and Social Care Trust took control, they employed two security guards on a permanent basis to patrol the grounds and organised five separate patrols to take place on a daily basis to assist them. CCTV and fire and intruder alarms were already in place but soon failed which left the patrolling guards with a near impossible job to ensure that trespassers didn’t break into any of the buildings.

At the end of 2007, trespassers managed to break into some of the buildings with the patrolling guards being unaware due to the CCTV and fire and intruder alarm systems being inoperative. The trespassers took photographs of the records and posted their finding on the internet.

The Trust didn’t find out about this until 2010 when someone else told them about the confidential information being posted on the internet. The Trust soon acted and started an investigation which couldn’t be conducted properly as certain areas of the site had been cordoned off because of asbestos concerns. The Trust also set about improving the security of the site and fixed damaged windows and doors. The apparent security improvements are seen to have been been futile as the Irish News reported that you could still get onto the site in April 2011.

This is yet another case of an NHS Trust showing negligence towards data belonging to patients and staff and surely an overall review into the handling of data needs to be conducted. The fact that patient records were just left on the floor and on shelves is staggering and it would be very interesting to see if plans were ever put in place to keep the files in a secure location when it was decided to close the hospital down.

Disaster Recovery Systems not in place for many London NHS Trusts

A recent study that has been conducted across 30 HNS trusts in London has revealed that 60% of the NHS trusts do not have a disaster recovery system in place. This is a staggering statistics and means that data belonging to hundreds of patients is at risk. If one of these NHS trusts who do not have an adequate disaster recovery plan and disaster recovery system in place experience a disaster, how on earth do they expect the doctors and their team to provide the medication and care needed as patient records will be inaccessible for a period of time or lost forever.

Dionne Hilton, programme manager at London NHS Commercial Support Unit, presented the results from the study and commented on why so few NHS Trusts had a disaster recovery system in place. Hilton honestly stated that they do not know and that they are trying to find out why so many do not have a disaster recovery plan in place.

Hilton stated, “That is what we are trying to find out; we are trying to help them. It is quite shocking that as many as 60% don’t have it. There was a massive range, from organisations that were doing particularly well in efficient use of their back-office systems to others not faring as well. We found overall that foundation trusts are doing better than non-foundation trusts.”

An NHS IT manager who attended the presentation stated, “I’m very surprised by this finding. We are a foundation trust and have a very robust disaster recovery system in place. I almost feel that this figure can’t be right somehow it’s so shocking.”

This sums of the whole situation very well and those HNS Trusts in London who do not have an adequate disaster recovery system in place, should start looking to implement a system immediately.

As this study was only conducted across 30 NHS Trusts in London, the need for a more widespread study across the country should be looked into as it is vital that the true extent of the problem in known. An investigation needs to be conducted in those NHS Trusts who do not currently have a disaster recovery system in place so that the more common problems if any can be tackled.

ICO hit NHS with a £90,000 fine

The Central London Community Healthcare NHS Trust has become the latest victim of the Information Commissioners Office (ICO) who has imposed an eye watering £90,000 fine after a series of breaches of the Data Protection Act was eventually brought to their attention.

The data breach occurred over a three month period where roughly 45 faxes which contained confidential data belonging to patients were accidentally sent to the wrong person. The Central London Community Healthcare NHS Trust meant to fax the patient lists to St John’s Hospice. These patient lists contained information which related to 59 people and their diagnoses, their domestic situation and resuscitation instructions.

After a three month period of receiving these patient lists, the individual who had been receiving them eventually told Blighty’s health service. The individual stated that they have been receiving these patient lists and that they had shredded them to ensure that the information didn’t go any further.

ICO head of enforcement Stephen Eckersley has commented on this case. Eckersley stated, “Patients rely on the NHS to keep their details safe. In this case Central London Community Healthcare NHS Trust failed to keep their patients sensitive information secure. The fact that this information was sent to the wrong recipient for three months without anyone noticing makes this case all the more worrying.”

This is the latest case where the ICO have had to conduct an investigation because of a number of errors. Firstly, The Central London Community Healthcare NHS Trust didn’t have stringent enough measures in place to stop such an error occurring. Secondly, the staff hadn’t been adequately trained on data protection. These two factors combined are the main reason for the ICO imposing the hefty fine.

The trend of confidential data being compromised by people working in the public sector is set to continue as it is very evident that there are still members of staff who haven’t been appropriately trained on data protection. Yet again, this case suggests that we are still acting reactively and not proactively. The need for more stringent measures to be implemented and all members of staff to be adequately trained in data protection is increasing day by day as the implications become more severe if appropriate measures are not in place.

Data loss affects 800 hospital patients

It has been revealed that East Surrey hospital in Redhill have lost an unencrypted USB memory stick that contains confidential records of 800 patients. The data loss was revealed in the Surrey and Sussex Healthcare NHS trust annual report which stated that it had occurred in September 2010. Local press who have access to this document reported that the unencrypted USB memory stick contained information regarding patients’ dates of birth, names, addresses and operation details. The hospital decided not to take up the option of informing the affected patients of this loss.

Surrey and Sussex chief executive Michael Wilson said “All staff should always use encrypted memory sticks when transferring patient data. It is regrettable that this didn’t happen on this occasion and the member of staff has been taken through the Trust’s disciplinary procedures and has received further training.”

An unexplained issue regarding this data loss is that the hospital has a policy in place that demands that all data being kept on removable data drives should be encrypted. This case shows a clear sign of negligence and raises concerns over how much data is being transported without being encrypted beforehand

The Check Point UK managing director, Terry Greer-King stated “The incident shows that security policies do need to be enforced by solutions that automate data encryption and bar the use of unauthorised devices, so that users have to adhere to those policies.”

This isn’t the first time and most probably will not be the last time that data from hospitals is lost, compromising sensitive and confidential data belonging to hundreds of patients. Only last year, an unencrypted USB stick belonging to the East & North Hertfordshire NHS Trust which contained details of patients conditions and treatments was carelessly lost on a train by a junior doctor.

This latest case isn’t good reading for those involved in the NHS as The Information Commissioner’s Office (ICO) released figures in 2010 showing that the NHS recorded the highest number of data loss incidents of any UK sector.

It is very clear that the NHS Trusts have been treated very leniently regarding incidents of data loss and have managed to avoid the punishments and sanctions that private companies face if such incidents occur.

Grant Taylor, a VP with encryption and security specialist, Cryptzone stated “Had this been a private company, rather than an NHS Trust, the organisation would have been publicly censured and a large fine levied under the Data Protection Act.”

Our Customers

  • ATOS
  • Age UK
  • Alliance Pharma
  • Liverpool Football Club
  • CSC
  • Centrica
  • Citizens Advice
  • City of London
  • Fujitsu
  • Government Offices
  • HCL
  • LK Bennett
  • Lambretta Clothing
  • Leicester City
  • Lloyds Register
  • Logica
  • Meadowvale
  • National Farmers Union
  • Network Rail
  • PKR

Sales question? Need support? Start a chat session with one of our experts!

For support, call the 24-hour hotline:

UK: 0800 999 3600
US: 800-220-7013

Or, if you've been given a screen sharing code:

Existing customer?

Click below to login to our secure enterprise Portal and view the real-time status of your data protection.

Login to Portal