back to article Hospital hacker spared prison after plod find almost 9,000 cardiac images at his home

A Stoke-on-Trent hospital administrator has avoided prison after hacking his NHS trust and helping himself to almost 9,000 heart scan images. Daniel Moonie, a 27-year-old of Waterlily Close, Etruria, Stoke-on-Trent, was cautioned by police in 2017 after he was caught remotely accessing the internal network of the Royal Stoke …

  1. big_D Silver badge

    Differences...

    It still amazes me the differences between reporting in Germany and the UK, when it comes to naming criminals.

    Daniel Moonie, a 27-year-old of Waterlily Close, Etruria, Stoke-on-Trent

    That wouldn't be allowed over here, it would be Daniel M of Stoke-on-Trent, or simply Daniel M.

    1. Anonymous Coward
      Anonymous Coward

      Re: Differences...

      Trials are usually public, so that justice can be seen to work publicly. Once someone has been found guilty their name will be known, so there's little point in blocking publication. Until the trial, that's another matter.

      1. xpz393

        Re: Differences...

        I've always felt uncomfortable seeing folks' home addresses splashed all over the media in relation to a trial. It's irrelevant to the general public at best, and at worst it facilitates acts of vigilantism.

        I wonder how long it will be before a defendant challenges the practice as a GDPR breach?

        1. Anonymous Coward
          Anonymous Coward

          Re: Differences...

          Vigilantism is incredibly rare in the UK, so while it may make you uncomfortable it's historically caused great embarrassment for those convicted and pin pointed who they are to the local community.

          What I find bizarre about it is that we are increasingly pestered not to call prisoners prisoners, convicts, inmates etc and forced to use flowery language to obfuscate the fact they are in fact prisoners.. yet we plaster their home address sans house number on media reports.

          1. steviebuk Silver badge

            Re: Differences...

            There was the old case of the local idiots hounding of a paediatrician doctor out of her own home because they mistakenly confused the term with paedophile. So there is some vigilantism although that was 20 years ago now.

            1. 's water music Silver badge

              Re: Differences...

              There was the old case of the local idiots hounding of a paediatrician doctor out of her own home because they mistakenly confused the term with paedophile. So there is some vigilantism although that was 20 years ago now.

              And even that is verging on an urban myth in terms of what happened versus later reporting and popular mythology.

              Name check for el reg in the linked article.

              1. steviebuk Silver badge

                Re: Differences...

                Fair point but then we'll move onto Bijan Ebrahimi who was burned to death by two idiots and that was more recent.

      2. Smooth Newt Silver badge
        Meh

        Re: Differences...

        Trials are usually public, so that justice can be seen to work publicly. Once someone has been found guilty their name will be known, so there's little point in blocking publication.

        They are not really very public in the UK. There is very limited seating available for the public, and they are not, for instance, streamed, televised or uploaded to youtube to allow wider viewing, and in fact no form of photography is allowed. There is a great difference knowing someone's name, and knowing their address too - even the home address of my MP is secret.

        1. 0laf Silver badge

          Re: Differences...

          Yeah trials aren't exactly publicised here. They are public in that you can go and view justice in action as a member of the public and a reporter can report on what they see in court but there is no live video etc.

        2. phuzz Silver badge
          Holmes

          Re: Differences...

          If you still have a local paper, you might find that they publish a regular list of the more newsworthy people who've been convicted.

          Here's an example from last week in Bristol.

          1. 0laf Silver badge

            Re: Differences...

            Court rolls of upcoming cases are also public but they are only published five days ahead of the cases

          2. Loyal Commenter Silver badge

            Re: Differences...

            To be fair to the Bristol Post, if they didn't run "stories" like that, then they'd be left with pretty much nothing to write about at all. Then who would we turn to for vital news about potholes and new housing estates?

            1. Claverhouse Silver badge

              Re: Differences...

              Don't forget all the interesting things happening with local schools and local schoolchildren and local teachers, and all the local people running around local fields kicking balls !

              And local car-sales...

              1. John Brown (no body) Silver badge

                Re: Differences...

                To be fair, it is a local rag. There's little point in local rags regurgitating national stories unless it relates directly to the locals and can put a local spin on it.

        3. Doctor Syntax Silver badge

          Re: Differences...

          "in fact no form of photography is allowed"

          <cough>

          https://www.bbc.co.uk/news/uk-51110206

          1. steviebuk Silver badge

            Re: Differences...

            Only just changed though :)

      3. big_D Silver badge

        Re: Differences...

        In Germany, I believe you can go to the court and get the transcript, if you really want to.

        But the media cannot use the full name, let alone the address (it is not relevant to the crime in 99.9% of cases). They are also barred in most cases from showing the accused's face, that goes for the victims as well.

        There were a cases where the police did get the court to approve the issuing of an unblurred photo of a suspect or victim to help with identifying them or finding them. Once they had been identified / apprehended, the photos returned to being blurred out. So you'd see their face one evening, the next, they've been apprehended and the image is blurred again. Idiotic in some ways, but at least there is some privacy, especially useful if the person is then found not guilty.

        1. baud Bronze badge

          Re: Differences...

          In France (and some other countries too), no pictures are allowed from inside the courtroom and no filming, but you can have drawings, which are usually done for the biggest cases (at random, here's one article with such a drawing: https://www.lefigaro.fr/actualite-france/la-cagnotte-leetchi-du-boxeur-de-gendarmes-dettinger-sera-t-elle-debloquee-20200120)

        2. Anonymous Coward
          Anonymous Coward

          Re: Differences...

          We're talking here about the Daily Mail. They don't concern themselves with issues like privacy.

          1. Anonymous Coward
            Anonymous Coward

            Re: Differences...

            Did they mention how much his house cost though?

      4. Benchops

        Re: Differences...

        Public yes and the address of the defendant may well be read out in court for all present to hear. That probably doesn't breach GDPR.

        Storing the address electronically and without consent or informing/obtaining consent from the personally identifiable individual of your intentions, distribution or retention policy, and then broadcasting that address online seems to be it would fall foul of GDPR.

        Why hasn't this been challenged?...

        1. John Brown (no body) Silver badge

          Re: Differences...

          There may be exceptions for "legal stuff". IANA(GDPR expert)

        2. Kiwi Silver badge
          Paris Hilton

          Re: Differences...

          Public yes and the address of the defendant may well be read out in court for all present to hear. That probably doesn't breach GDPR.

          I don't think they do that much over these ways any more. I was at a hearing for a friend and saw a few other bail cases go through first. The addresses were referred to as "The Newtown address" or "his Auntie's home" and so on, but the actual address wasn't mentioned. The info was in written documents for the beak/lawyers (why do the words 'lawyers" and "liars" bear such phonetic similarities?) etc who needed it, the rest of us in the gallery didn't (and of course such knowledge could lead to someone with a grudge taking 'direct action' to settle their grievances).

          This could be rare - I don't exactly hang around the courts. But for the life of me I cannot see why the vast majority of the public would have a need to know the address of an accused person.

    2. Dan 55 Silver badge

      Re: Differences...

      Seems to me Germany gets the difference between information being public and information being public and also widely disseminated whereas in many other countries (ahem) many people don't care and many corporations, full well knowing the difference, take advantage of that.

      1. Anonymous Coward
        Anonymous Coward

        Re: Differences...

        Or the public knowledge of offences is part of the disincentive for committing crimes?

        Maybe the move to large urban environments has given people the illusion of anonymity?

        1. Anonymous Coward
          Anonymous Coward

          Re: Differences...

          Yes and no. How much at risk of having your X-ray stolen by this chap do you think you are?

          Or, how good is your memory at remembering the 1000s of murderers by name and face?

          So the information to you is rather stupid and useless. The information to the local town, is important and useful.

          Difference in scope and distribution.

          1. Anonymous Coward
            Anonymous Coward

            Re: Differences...

            "Yes and no. How much at risk of having your X-ray stolen by this chap do you think you are?"

            Very low - however the principal issue is that he mishandled information that was entrusted to him, something that applies to a much wider ranger of industries than just the one he was involved in and hence the benefit of a wider audience for the crimes.

            "So the information to you is rather stupid and useless."

            As an unconnected individual - yes. As a potential future employer? No

        2. Kiwi Silver badge
          Big Brother

          Re: Differences...

          Or the public knowledge of offences is part of the disincentive for committing crimes?

          We had a few shows on TV relating to crimes (much like the US "Cops" show). I am pretty sure many people on those shows were there because it was their only hope of being on TV, and the widespread reporting was an incentive to commit crimes.

          But aside from that... How many people can you name who actually honestly haven't committed a crime because they thought they'd be named and shamed? Most crims don't expect to get caught, most of the remainder don't care. Drugs or anger/other short-term "mental health issues" or "emotional issues" kill the ability for those who aren't psychopaths to rationally think about their actions and consequences, and of course there are those who just don't give thought to consequences.

          So really.. What gain is there in reporting the name and address of an accused?

          The disadvantage is "mud sticks" and we have way too many people in our society who believe that accused=guilty even if the person is later totally exonerated. I've known of people to get public apologies from the police about the police's mistakes in questioning them, and someone else is convicted, yet the neighbours believe the person must have been guilty "otherwise the police would've known they were innocent and never spoken to them in the first place". A public accusation today - where "newspapers" are online and easily searchable - is a serious thing. Newspapers often report on the "so and so from such and such has been arrested for.." but very seldom report "after a short investigation the police determined so and so was not present at the time and is no longer a person of interest to them", so a potential employer will find reports of your arrest and drop you from the list of potential employees without you or anyone else being able to say you were totally innocent.

          Of course, being without work heightens one's chances of being involved in further crime, especially those who have spent time in custody (who could lose their homes and possessions among other things fairly quickly). Thus, reporting may actually help increase the overall crime rates. I am convinced it does little to protect us, and knowing these salacious details of many cases is of no benefit to me or anyone else not directly involved.

          I'd be happy to wake up one joyful day and realise most of the MSM are gone. El Reg and a few sites that report on traffic conditions etc are all I care for :)

    3. Loyal Commenter Silver badge

      Re: Differences...

      The bigger problem, as I see it (not to negate the fact that this problem exists), is that defendants names can be made public in the press before a verdict has been reached. If that verdict is "not guilty", you then have a body of press reports linked someone with a crime thay didn't commit (or at the very least haven't been proven to have committed).

      If someone features heavily in press reports about a high profile crime, and then is found not guilty, you are likely to have had many weeks of press and TV reports featuring that person's name, followed by perhaps a single day when the verdict is reported. In the memory of the public, that person is associated with the crime.

      Lets not even get onto potential miscarriages of justice based on publicisatin of defendants identies in sensitive trials (where there are already reporting restrictions). That's why waxy-lemon got put away. Well, that and contempt of court.

      I'm all for greater limitations on what can be reported in an ongoing trial, and indeed, what can be reported after the fact. If anyone is interested, court proceedings are all on record, and pretty much all court proceedings are public, but there is a world of difference between "publicly available" and "publicised".

  2. NonSSL-Login
    Megaphone

    Hacker?

    At what point does a member of staff with valid network credentials become known as a hacker?

    Somewhere between the facts and writing the story obviously....

    1. Phil O'Sophical Silver badge

      Re: Hacker?

      At what point does a member of staff with valid network credentials become known as a hacker?

      When he still comes back and logs in after he's been fired. Did you read the whole article?

      "Moonie, who was employed by the hospital's heart and lung department as an administrator, was sacked. As part of the police caution he agreed not to access any IT system within the hospital

      ...

      Nursing a grievance over his treatment, and believing he wasn't the only one remotely accessing the hospital network, Moonie changed the password for an admin account in order to maintain his illicit access."

      1. Smooth Newt Silver badge
        Meh

        Re: Hacker?

        Shouldn't the hospital cancel the login credentials of the people they sack, or am I just being silly?

        1. JetSetJim Silver badge

          Re: Hacker?

          Of course, especially as hospitals typically have so many staff idling around to make sure that such things are done in a timely fashion

          1. Oh Matron! Silver badge

            Re: Hacker?

            Well, HR would have been notified, thus removing him from any IDM they were using (let's say AD), thus preventing access. Now, of course, we know that any outsourced company that the NHS trust may be using has written such processes, being the wonderful people that they are...

            Yes, I see the error of my ways now.

            I'll get my coat

            1. Anonymous Coward
              Anonymous Coward

              Re: Hacker?

              I suspect you have identified the issue - the device wasn't administered via an IDM and instead used local credentials.

              IDM support is added in current versions of the device and will be considered a key requirement when the unit is replaced at the end of its operational life in 10-15 years.

          2. JetSetJim Silver badge
            Facepalm

            Re: Hacker?

            I suppose I could've put the sarcasm tags on it, but I didn't really think it was neccessary

        2. JimC

          Re: login credentials

          By the sound of it they didn't change the password on an admin account. It could of course have been an anonymous sounding admin account that he set up, not the main one. It could be quite onerous to change the passwords on every admin account and every account with admin rights every time someone leaves. Necessary though if someone leaves under a cloud.

          However privacy concerns and all that: who communicates that someone has left under a cloud? Isn't there an argument it should be confidential?

          1. big_D Silver badge

            Re: login credentials

            Personnel would have to know and they should, confidentially, inform the systems administration team to immediately remove all access for the employee.

            The sys admins don't need to know why, they just need to know who's accounts to lock out and change passwords on shared accounts.

            If he had access to the admin account, it sounds like either it wasn't documented that he had access to it, or he was in a position to have added the account himself - the story makes it sound like the former.

          2. JetSetJim Silver badge

            Re: login credentials

            If there's a public facing method of getting in to a system with a credential, then that credential should be revoked/changed anytime someone with knowledge of that credential leaves - this is especially true for someone with access to such sensitive data, Doesn't matter if they dropped dead at their desk or if they stormed out angry at being treated unfairly.

        3. Anonymous Coward
          Anonymous Coward

          Re: Hacker?

          Shouldn't the hospital cancel the login credentials of the people they sack, or am I just being silly?

          They probably did - the article doesn't say that he used his own credentials, just that he changed the password for an admin account.

          An organisation like the NHS has hundreds of disparate unrelated server applications so will have hundreds or thousands of administrator and application service accounts nationally. Newer applications can integrate with automated password management solutions (i.e. CyberArk) without too much hassle, but it can be an utter pain in the ballsack to mandate the use of password expiry for legacy application service accounts without causing frequent service outages.

          Sometimes it simply is not possible without handling the password change process manually, so it may not get done at all, which I suspect is what has happened here. With poorly documented systems, sometimes the only way to tell what a particular service / admin account will affect is to change the password, see what breaks, then backpeddle furiously till it's all working again.

          Good practice states that you shouldn't be able to access a remote system using a service account and shouldn't have shared admin accounts, but again, sometimes with legacy systems this isn't possible, or simply isn't enforced due to lack of knowledge or resources.

        4. Loyal Commenter Silver badge

          Re: Hacker?

          Moonie changed the password for an admin account.

          Discussions of shared admin accounts aside (sometimes they are unavoidable), I suspect the individual's personal account would have been terminated pretty quickly, given what he had been up to.

        5. Anonymous Coward
          Anonymous Coward

          Re: Hacker?

          Re: "Shouldn't the hospital cancel the login credentials..."

          You'd have thought.

          Either they didn't have a process for doing so (seriously?!?) or someone didn't do their job.

          Since HR is ultimately responsible for ensuring access to the IT systems for everyone on the payroll (even though they may delegate that responsibility to IT), they should also ensure that access has been terminated once the employee leaves. So the buck stops with them. Unless they operate an "over the wall" / "not my job" culture. Or they just don't care...

          Regardless, sounds like the off-boarding process seriously needs auditing.

        6. Mage Silver badge
          Devil

          Re: Hacker?

          And indeed when is the Alphabet / Google medical company managers and NHS managers being fined and jailed for theft of patient records?

      2. Anonymous Coward
        Anonymous Coward

        Re: Hacker?

        The original poster is correct. Since when is illicit access hacking/cracking?

      3. NonSSL-Login
        Holmes

        Re: Hacker?

        He was using credentials issued to him while he was a member of staff but the main point is that he didn't hack anything. He used credentials issued to him. Nothing was hacked.

    2. JetSetJim Silver badge
      Headmaster

      Re: Hacker?

      Well, according to Webster's (OED seems to require a login to use), a hacker can be (4th definition):

      a person who illegally gains access to and sometimes tampers with information in a computer system

      So yes, someone who uses their valid credentials to illegally access information is indeed a hacker

      EDIT: Just RTFA and noted he changed an admin password to be used after he was sacked, so the credentials used were indeed also illegally obtained

    3. big_D Silver badge

      Re: Hacker?

      He logged in on through his home computer to a protected network. That might be a disciplinary offence in and of itself. Certainly attaching a private machine to the company network where I work is a sacking offence, as is using a USB stick, external drive, smartphone or other personal devices to attach to company property of networks - guest network is the exception.

      If he had to circumvent security processes to get his home computer to attach to the network, that would probably be construed as hacking.

      Given we are talking about healthcare, I would hope that the use of personal devices was banned by policy.

      1. JetSetJim Silver badge

        Re: Hacker?

        > He logged in on through his home computer to a protected network. That might be a disciplinary offence in and of itself.

        a) he was no longer employed, so "disciplinary offence" no longer applies, but "criminal offence" does

        b) Some bits of the NHS allow for BYOD, which also allows for home computers to be connected to the network and does allow access to confidential data. According to one BYOD policy on t'internet, you don't even need a VPN for some of it (e.g. read-only access to NHS email via OWA, although it's not clear if the user has the responsibility to not save the emails to their own device, or if that functionality is blocked) - it also depends on the device

        1. big_D Silver badge

          Re: Hacker?

          He accessed the network from his home PC, was sacked and had continued access through an admin account that he had changed the password on.

          1. JetSetJim Silver badge

            Re: Hacker?

            yes, hence point (a) in my post.

            Point (b) was to demonstrate that there are legitimate instances of *employees/contractors* accessing NHS systems via their own devices (phones, tablets and PCs) as a counterpoint to your situation where it's not allowed

    4. 0laf Silver badge

      Re: Hacker?

      Intent.

      1. John Brown (no body) Silver badge

        Re: Hacker?

        Yeahbut...unauthorised access still isn't hacking.

        1. Halfmad Silver badge

          Re: Hacker?

          hacker

          /ˈhakə/

          Learn to pronounce

          noun

          1.a person who uses computers to gain unauthorized access to data.

          2.a person or thing that hacks or cuts roughly

          Clue is there in number 1. Just because he wasn't wearing a hoodie doesn't mean he's not a hacker.

        2. Loyal Commenter Silver badge

          Re: Hacker?

          Yeahbut...unauthorised access still isn't hacking.

          The supposed origin of the term "computer hacking" as an adaptation of the name given to accessing the steam tunnels on the MIT campus in the 1970s; in other words, "hacking" was orignally a term for gaining unauthorised access to physical infrastructure, and became a term for gaining unauthorised access to computer infrastructure (the same people were involved in both).

          Wiki article

          Your claim is, therefore, almost exactly wrong.

    5. macjules Silver badge

      Re: Hacker?

      At what point does a member of staff with valid network credentials become known as a hacker?

      The moment his Implied Right of Access has been revoked.

    6. Doctor Syntax Silver badge

      Re: Hacker?

      "At what point does a member of staff with valid network credentials become known as a hacker?"

      When he accesses something he's not entitled to or,as the story puts it, commits an offence under section 1(1) of the Computer Misuse Act 1990.

      It looks as if Royal Stoke Hospital might have got ahead of the curve with single sign-on.

  3. ThatOne Silver badge
    Coat

    WTF?

    Am I the only one to have read "Royal Stroke hospital"?

    1. Rich 11 Silver badge

      Re: WTF?

      Royal Stroke

      Isn't that why Andy had to give up his former duties and go into internal exile?

    2. I3N
      Pint

      Re: WTF?

      Or Stroke-on-Trent ...

      Well that is one way to get your records ... hospital and docs made a major mistake ... reason to believe that would be the only way, too ...

  4. JakeMS
    Alert

    But why?

    Article doesn't specify what he intended to use these records for?

    Did anyone ask what purpose he had intended for these records?

    This would be my first question. Second question, had he already used them for his intended purpose? I hope they got more information out lf him about this.

    Clearly the purpose is not to help his patients, seeing as he was no longer working for the NHS...

    1. Chris G Silver badge

      Re: But why?

      Exactly my thoughts, what does one do with 9000 odd heart scans?

      They're not exactly collectable or titillating are they?

      1. Boris the Cockroach Silver badge

        Re: But why?

        Well he could post mine on the internet with the title of "How the fsck is this guy still alive?"

        To which myself and the docs will answer "fscked if we know either"

        Maybe he was looking for the manager involved with his firing and change that heart scan for a healthy one....

      2. Claverhouse Silver badge

        Re: But why?

        Rule 34.

    2. Anonymous Coward
      Anonymous Coward

      Re: But why?

      I suspect he was looking for evidence of past malpractice, or a cover-up with which to shame the hospital or extort money from them. As an insider he may well have known about it when it occurred, or at least heard rumours about it.

  5. Daniel Hall
    FAIL

    hahahahah

    "HAcker" that knew the password to login and just changed the admin password deemed a hacker.

    Hahahahahahaha FFS, literally crying here!

    1. Loyal Commenter Silver badge

      Re: hahahahah

      "hacking" as in gaining unauthorised access to a system (literally, in its truest sense).

      He got nabbed under the Computer Misuse Act, because it specifically disallows access to systems you aren't supposed to have access to, even if you know how to access them. This certainly applies to systems of an ex-employer, which you have been told, in no uncertain terms, are off limits to you.

      1. Craig 2

        Re: hahahahah

        This is one of those cases where the meaning of a word is evolving over time and usage. Hacker to me means someone with technical skills, whether compromising a computer system or picking an electronic lock. To some people, hacker could mean they simply used their easy-to-guess password.

        1. Is It Me

          Re: hahahahah

          You used to have "hacker" as someone that could do cool things with computers that they weren't originally expected to do, this is the sense it is used if those horrible "life hack" videos people keep posting on YouTube and FaceBook.

          Then you had a cracker, which was someone that cracked security systems to break their way in.

          Over time main stream media just used hacker for anything related to doing something dodgy with computers and that is now how it is used by the general public.

          1. Semtex451
            Windows

            Re: hahahahah

            And hence the entry in Websters. I recall a time when the Dictionary was for definitions and not merely a mirror of language abuse. Sad.

            I'm old, I might as well sound old.

  6. tony2heads
    WTF?

    Baffling

    Why would anyone want 9000 cardiac images?

    1. Mage Silver badge

      Re: Why would anyone want 9000 cardiac images?

      Ask Alphabet/Google.

  7. Version 1.0 Silver badge
    Facepalm

    Everyone's missing the point

    Running around shouting "hacker this, hacker that"

    But the hospital allows any computer to log in from outside? They fire the administrator and don't reset the passwords? Anyone can download all the cardiac records to any external IP address and nobody noticed until they looked at his computer?

    Now they seem to think that because they arrested the "hacker" the problem is solved?

    1. FozzyBear Silver badge

      Re: Everyone's missing the point

      Now they seem to think that because they arrested the "hacker" the problem is solved?

      Of course it is. The blame has been neatly, efficiently and more importantly, legally, shifted to someone now outside the company.

      All past misdeeds and any short term future ones can now be blamed on the recent "hacking" crisis.

  8. Anonymous Coward
    Anonymous Coward

    Heartless

    (gets coat)

    But my guess, the fellow in question may be working secretly for an insurance company. Knowing how many patients have undeclared health issues would be very useful, and the company in question could simply sit on the information until renewal time so as not to arouse suspicion.

    Incidentally there could be case law here. If it emerges that someone lied on an insurance form this is a serious offense no matter how the information that they have done so was obtained. This is essentially the idea behind the "Whistleblowers Charter"

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020