"Trever pleaded guilty to seven counts of breaking the Computer Misuse Act and said he'd acted out of idle curiousity."
Oh look, it turns out curiosity IS a crime after all.
A Hull man has been given a suspended sentence for looking at hundreds of women's medical records. Dale Trever, 22, was working for Hull Primary Care Trust as a "care data quality facilitator" when he accessed medical records of 413 female patients. The court was told he accessed records 597 times. He started his snooping …
I can't speak from the point of view of Police or Online Shopping, but Banks (In the EU, at least) are very sensitive to this sort of thing. It may even now be a regulatory requirement, but there was a wake-up call when someone at Vodafone downloaded all of David Beckham's text messages and sold them to some tabloid.
The bank that I work at has systems that detect if people's accounts are looked at and no work is actually carried out.
He didn't have to look at very many records he had no reason to view before the logs left behind of his illegal access caught up with him. And of course validity of these logs all depends upon cutbacks not cheapening systems to the point where it becomes feasible and routine for NHS person A to authenticate using NHS person B's credentials.
When I was doing desktop support at a BT call centre in Dundee, some customer service droid checked out Thomas Hamilton's account after the Dunblane Massacre. Later that day he was marched off the office floor (and then out of the building some time afterwards) by three spooky-looking suits assisted by two of her majesty's finest. Rumour had it that the suits actually flew up from Oswestry.
It was also routine for the droids to receive calls from security goons immediately after having legitimately viewed/amended a high profile person's account. Your average BT account holder scum seemed to be fair game though.
Those and such as those, I suppose.
"The court was told he accessed records 597 times..........Trever pleaded guilty to seven counts of breaking the Computer Misuse Act"
Why wasn't this 579 counts of breaking the Act? Why did it take an on-the-ball' practice manager to 'suspect' this, instead of in-built warning systems to detect it?
Have the people who medical records have been browsed my this sad idiot been told that their data privacy has been breached and been advised of steps they can take to bring action against the idiot or the NHS? I doubt it. The only thing we can be sure of is that any Government organisation will totally foul-up any data protection obligations they have.
"Why did it take an on-the-ball' practice manager to 'suspect' this, instead of in-built warning systems to detect it?"
Because it was built by the company that tendered the cheapest quote, meaning that to meet the budget and deadlines, as well as to speed up the system so it only took 2 minutes to login to, the security module was reduced to a user name and password stored in plane text in the system database.
The database was of course a MSSQL server with the default admin password open to anyone with a PC on the 'trusted' medical network.
Same sentence as the policeman got for assaulting a woman in custody.
It seems we have a sense of proportion failure somewhere, and no, I'm not saying which is right, if any, just that they don't equate in my view.
They randomly pick PNC's checks and ask you to justify your reasons for requesting it. I gave a fixed penalty to a car on my street (it was blocking the road) and needed a PNC check to see if I could locate the owner first. Within a day I had a letter asking to prove this was legitimate check.
"The offence should be committed when someone *acts on* information they were not supposed to have known"
No, the offence is clearly defined (why do I have to keep repeating this every time a CMA story comes along) by S1 of the CMA. You don't get to break the law and then say "no harm, no foul", it doesn't - and shouldn't - work like that.
For the hard of thinking, the offence was not "looking at the data", but breaching the CMA in getting access to the data to look at in the first place, m'kay ?
I know what the law says, I just think it's a bad law.
If someone finds out something that wasn't specifically volunteered to them, but manages to keep quiet about it anyway, then I really don't see the harm in that.
Of course, knowing something that you weren't supposed to know can sometimes create interesting situations (such as knowing that the gas fire in the holiday cottage where you have been sleeping with your mistress has been chuffing out CO, but not being able to warn your wife about it before she takes the kids there for a surprise holiday for fear of your affair being discovered) but they are the exception, and should be dealt with on a case-by-case basis.
It's not so much that other people know things about you that you'd rather they didn't, as that you know they know those things.
centralised health records are dangerous. Centralised anything in fact, and amalgamated multiple databases are even worse.
Patients can easily be given a memory fob on which all their medical data is stored and handed over for perusal or updating by a doctor. Prescriptions could also be entered and the chemist/pharmacist would have limited read/write rights so no no duplicate prescriptions can be issued without authority.
It will stop double-doctoring, too, no dongle - no service except in emergency.
I attended a hospital in Toronto for around 7 months and my electronic record, including X-rays was around 5 megabytes - which was copied, at my request, to my dongle.
They let you plug your USB dongle into a machine with access to patients'/'s medical data???
Haven't you heard about these new fangled tech things called viruses? You wouldn't want to expose your doctor to those - they don't have a vaccine for that kind yet! Quick! Call the CDC!
Mine's the one with the correctly setup hardware/software policies. Saved to a USB dongle of course.
I was "let go" from a job for looking up a email-friend-but-also-customer's phone number on the computer, and she complained ..... 22 years ago, and we got married soon after..!
Slightly more recently ... somewhere in a different ex-employers email archives might yet still be several complete copies of GP medical systems that I worked on, doing a data-conversion between systems. Wonder if the DPO should ask them..
...mentioning the (bloody awful) summary care records system here. And it does, indeed, have its issues and I must get around to opting out of it, however this doesn't necessarily mean that he used the summary cockup system to get the info. It could have come from whichever local patient management system was being used.
Or did the article mention that he used the SPINE/whatever they're calling it this week to get the info? (Apologies to all if it did, but it's well on the way to beer o' clock here and I'm tired...)
after it was discovered he was reading world+dog email on the corporate system.
Considering it was a local authority, it was a lot of emails he had access to.
Didn't think it warranted sacking him, im sure any IT techie will admit to having a snoop at some point.
Perk of the job sometimes....
I am a professional. In 20 years of dealing with email systems, personnel databases, payroll systems, whatever, I have *never* looked at any data without first seeking authorisation and having a damn good reason for doing so.
Anyone who thinks the data is there for their personal amusement should on no account be allowed access to any systems, of any sort.
A hospital near me closed in 1985 and stood derilict until 2006, after exploring it thoroughly (boys will be boys) we found a room filled with filing cabinets containing people's medical records. As far as I know they remained there until the day the building was razed.
It doesn't matter how your data is stored, if the organisation storing it isn't particularly interested in keeping it safe, then it won't be safe.
Biting the hand that feeds IT © 1998–2022