back to article NHS Direct wrongly emailed patients' data

An email sent by the NHS advice service mistakenly disclosed personal information about patients, although it did not leave the health service. The organisation's annual report for 2008-09 reveals that the information, including the names, addresses, NHS numbers, dates of birth and clinical data of about 100 patients, was …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    A spreadsheet?

    Oh, FFS.

  2. Frank Bitterlich
    FAIL

    The usual bollocks...

    Quote: "NHS Direct takes data protection very seriously and we regularly review our processes and train our staff in order to ensure that we fulfil our responsibilities in this area." That's a lie. Proof:

    "... this happened when a spreadsheet was emailed to three people in error."

    a) "spreadsheet" + "emailed": FAIL.

    b) "spreadsheet" + "emailed" + "to three people": Catastrophic FAIL.

    c) "emailed" + "in error": Final, irrevocable proof that they...

    - do NOT train their staff in any meaningful way

    - do NOT take data protection seriously

    - do NOT fulfill their responsibilities in this area.

    End result: Complete, utter, FAIL.

  3. Martin 6 Silver badge

    @The usual bollocks.

    You missed the bit where the spreadsheet was a photo of a screendump printed out and placed on a wooden table before being pasted into a spreadsheet.

  4. Jon 48

    Jon

    Hardly a major failure. The information didn't leave the NHS so everyone who saw it would already be bound by patient confidentiality rules. Every company I've ever worked for has used spreadsheets for emailing information, at least the NHS is acting responsibly by holding its hands up and admitting it.

  5. Anonymous Coward
    Anonymous Coward

    Why not

    Just give the whole lot to Google to look after --- and make it publicly available.

    We might just as well google for each other's personal details as find them on park benches and the back seats of cars.

  6. Anonymous Coward
    Unhappy

    Patient confidentiality

    isn't between the patient and ALL of the NHS. So data ending up with the wrong employees is a breach of that confidentiality. At least they're owning up to it but still they're not exactly showing trust-inspiring levels of competence.

  7. Dale Richards
    Thumb Down

    @Jon 48

    -- "The information didn't leave the NHS"

    This isn't guaranteed. The spreadsheet was emailed to "another part of the health service" - depending on their definitions, it's entirely possible that the email in question travelled over the Internet, and could therefore have been intercepted at any one of a number of points along the way...

  8. Dr Patrick J R Harkin

    @Dale Richards

    If it was emailed, it *should* have gone over NHSNet (which has been renamed, but I can't remember what to, N3 I think) which has a separate encrypted backbone and shouldn't end up going through any unapproved ISP's.

  9. Jon 66
    Thumb Up

    @Dr Patrick J R Harkin

    I should imagine you are correct that any NHS email address would have been routed over N3.

    Glad to know that our data is completely safe as surely no employee in their right mind would have the gall to put an internet email address into the CC field....

  10. William saywell

    @Jon66

    In this case you are probably correct, as the sender and recipient would almost certainly have been using NHS mail which is secure end-to-end between nhs mail addresses [@nhs.net].

    However, the principle doesn't hold generally, as [unlike social services and MoD] there are many parts of the nhs that use @nhs.uk addresses, which are not secure outwith their own organisation, and so are inappropriate for sending patient data to other domains [including other @nhs.uk and @nhs.net adressees], as this traffic would be routed over the internet.

    William.

This topic is closed for new posts.

Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Voicemail phishing emails steal Microsoft credentials
    As always, check that O365 login page is actually O365

    Someone is trying to steal people's Microsoft 365 and Outlook credentials by sending them phishing emails disguised as voicemail notifications.

    This email campaign was detected in May and is ongoing, according to researchers at Zscaler's ThreatLabz, and is similar to phishing messages sent a couple of years ago.

    This latest wave is aimed at US entities in a broad array of sectors, including software security, security solution providers, the military, healthcare and pharmaceuticals, and the manufacturing and shipping supply chain, the researchers wrote this month.

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • Microsoft fixes under-attack Windows zero-day Follina
    Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

    Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

    Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

    Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • Inside the RSAC expo: Buzzword bingo and the bear in the room
    We mingle with the vendors so you don't have to

    RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids. 

    Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.

    For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.

    Continue reading
  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading
  • Info on 1.5m people stolen from US bank in cyberattack
    Time to rethink that cybersecurity strategy?

    A US bank has said at least the names and social security numbers of more than 1.5 million of its customers were stolen from its computers in December.

    In a statement to the office of Maine's Attorney General this month, Flagstar Bank said it was compromised between December and April 2021. The organization's sysadmins, however, said they hadn't fully figured out whose data had been stolen, and what had been taken, until now. On June 2, they concluded criminals "accessed and/or acquired" files containing personal information on 1,547,169 people.

    "Flagstar experienced a cyber incident that involved unauthorized access to our network," the bank said in a statement emailed to The Register.

    Continue reading
  • Microsoft Defender goes cross-platform for the masses
    Redmond's security brand extended to multiple devices without stomping on other solutions

    Microsoft is extending the Defender brand with a version aimed at families and individuals.

    "Defender" has been the company's name of choice for its anti-malware platform for years. Microsoft Defender for individuals, available for Microsoft 365 Personal and Family subscribers, is a cross-platform application, encompassing macOS, iOS, and Android devices and extending "the protection already built into Windows Security beyond your PC."

    The system comprises a dashboard showing the status of linked devices as well as alerts and suggestions.

    Continue reading

Biting the hand that feeds IT © 1998–2022