back to article Rotherwood Healthcare AWS bucket security fail left elderly patients' DNR choices freely readable online

A leak of 10,000 records at a Leicestershire care home provider exposed elderly patients' wishes not to be resuscitated, detailed care plans and precisely how much councils paid for individual patients' care. Not only did Rotherwood Care Group, trading as Rotherwood Healthcare, leave an Amazon Web Services S3 bucket accessible …

  1. Anonymous Coward
    Anonymous Coward

    Meantime, a bear took a shit in the woods......

    Hey, PHB's, why not ensure you employ the right people to ensure that this thing doesn't happen? You know, the security, infrastructure engineers, and people to ensure governance.

    1. Anonymous Coward
      Anonymous Coward

      re: why not ensure you employ the right people

      Social care in this country had been crippled from a decade of austerity. If you know anyone who works in the industry you don't need me to tell you that.

      Hire care staff to actually wipe arses or spend the money on someone technical, you can't afford both.

      So the bastards trying to make money off this shit show cut corners? Maybe time to bring it back under public ownership so we can concentrate on care not profit? You can moan and bitch about the unions in the 70s but everyone was entitled to a home, an education and health care. What the fuck do you get these days?

  2. Anonymous Coward
    Anonymous Coward

    We at Rotherwood Group take the protection of personal data very seriously.

    Phew *wipes brow* had me worried there for a moment.

  3. katrinab Silver badge

    Their privacy policy still translates as follows:

    Antioxidants such as at football. In addition, important long-start. Present sterilized chocolate policies. But the developer microwave bananas gravida carrots does not trigger the borders of. Or they may present clinical sapien innovative vehicles. No bananas biggest casino. It is just as easy, carrots orange lion. Mid need of peanut. A smile to sit enforcement does not always need a wireless network. The latest football peanut zero.

    According to google anyway. I'm not sure it is the most accurate translation it's ever done.

    1. Scott Broukell

      @katrinab - I can see absolutely nothing wrong with that whatsoever, it appears perfectly normal, almost as clear as something the current president of the United States might be pround to tweet!

      1. Jimmy2Cows Silver badge

        I thought that actually was one of his tweets.

    2. GnuTzu
      Thumb Up

      Ridiculum feles sunt in Tela undique

    3. Spacedinvader

      If it had random capitalised words throughout I'd have said Google translate was bombastic bob...

  4. Alister Silver badge

    I see they've replaced the Lorem ipsum too.

    1. tfewster Silver badge

      ..though their spokespersons response was still copy-pasted.

  5. iron Silver badge

    Exceedingly personal patient details left on open web... Threatening lawyer's letters... Stay classy Rotherwood Healthcare!

    No doubt the ICO will fail to fine them the apropriate max GDPR fine and their laissez-faire attidute to potentially vulnerable people's data will continue. This is common in care sector IT (which I recently left).

    1. katrinab Silver badge

      Rotherwood Healthcare Ltd will go bust, fail to pay the fine, and Rotherwood Healthcare (Hereford) Ltd will take over.

      1. Anonymous Coward
        Anonymous Coward

        or Wotherrood Healthcare Ltd, Rotherwood Healthcare 1 Ltd,Healthcare Rotherwood Ltd etc etc etc etc

      2. Anonymous Coward
        Anonymous Coward

        Rotherwood Healthcare ($townname) Ltd

        "Rotherwood Healthcare (Hereford) Ltd will take over"

        Or one of the dozen or more Rotherwood Healthcare ($townname) companies which have the same parentage:

    2. Flywheel Silver badge

      It'd be interesting to see patients' insurance company reactions to the publication of a patient's DNR choice, especially if they had life insurance.

  6. The Nazz


    "We are unaware of any abuse of data."

    Well d'uh. Is that because you were also completely clueless that your data was out there and wide open?

    Mind you, in the interests of "open and transparent government", maybe it's a good thing that the costs charged to the Council are widely published.

  7. EnviableOne Silver badge

    We at Rotherwood Group

    take the protection of personal data very seriously but can't be arsed to upload a privacy policy or look at our AWS security dashboard.

  8. Doctor Syntax Silver badge

    “We at Rotherwood Group take the protection of personal data very seriously. Once we became aware of a security issue affecting some data held on our cloud-based system, we took immediate steps to rectify it."

    Rectifying after someody else finds your mistake is not taking protection seriously. Taking protection seriously is not making such a mistake in the first place.

  9. GnuTzu

    "There is no excuse in this day and age for AWS buckets to be left unsecured. Amazon provides tools for detecting and closing off inappropriately opened buckets..."

    The thing is, I used to think this was missing. Well, maybe it once was. And, I suppose it could be better.

    Yet more and more, it seems that there are too many out there throwing together projects at a level that is of the Dunning-Kruger variety.

    AWS could well require a check box for a disclaimer form that would require acknowledgement that reasonable security scanners, development principles, and testing must be employed. But, we live in a click-through World.

    1. Alister Silver badge

      There is no excuse in this day and age for AWS buckets to be left unsecured. Amazon provides tools for detecting and closing off inappropriately opened buckets...

      You still miss the point, El reg. There is no such thing as an AWS bucket being "left unsecured". It takes a fair amount of active work on behalf of a user to make an AWS bucket insecure, by default they are completely locked down.

      1. spellucci


        I second this comment. Someone had to intentionally override the default settings in order to make this data public.

        1. Jay 2

          Re: Second

          I second this second comment! Last year at an AWS shindig they pointed out the steps they have taken to stop this sort of thing happening. They even showed us how many hoops you have to jump through to make an S3 public.

          Depeending how old the config is, you have to wonder if someone fudged the S3 to make it public as they couldn't be bothered to do it properly...

  10. Greybearded old scrote Silver badge

    What's good for the goose

    Any medic who leaked patient data, even by accident, would never be allowed to practice again. Why are those responsible for this still working there?

    There needs to be real consequences. And not just to the guys at the bottom of the org chart.

    1. Tom Paine

      Re: What's good for the goose

      You may be mixing up medics who are careless with patient data, with medics who turn whistleblower, are sacked, forced out of their career and then vigorously pursued through the courts, threatened with financial ruin, etc. (Search Chris Day whistleblower for just one example.)

  11. Tom Paine

    To its credit, the business closed off the bucket from public access within a day of being informed.

    That's either extremely generous, or humour as dry as silica gel in the Sahara...

  12. YourNameHere

    Basically, we will share this data with anyone we want.


    Disclosure of your information

    We may share your personal information with any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the Companies Act 2006. We may share your information with selected third parties including:

    Business partners, suppliers and sub-contractors for the performance of any contract we enter with them or you

    Third parties who may wish to contact you in respect of services or products they offer or sell which may be of interest to you, provided we receive your consent to such disclosure; and/or advertisers and advertising networks that require the data to select and serve relevant adverts to you and analytics and search engine providers that assist us in the improvement and optimisation of the website

    Please note we may need to disclose your personal information where we:

    Sell any or all our business or assets or we buy another business or assets in which case we may disclose your personal data to the prospective buyer or seller

    Are under a legal duty to comply with any legal obligation or to enforce or apply our terms and conditions; or

    Need to disclose it to protect our rights, property or the safety of our customers or others, including the exchange of information with other companies, organisations and/or governmental bodies for the purposes of fraud protection and credit risk reduction

    1. W.S.Gosset Silver badge

      Re: Basically, we will share this data with anyone we want.

      Actually, that level of (non)privacy statement is so standard nowadays, it's pretty much boilerplate.

    2. Halfmad

      Re: Basically, we will share this data with anyone we want.

      Basically " you are our asset to use as we want."

  13. Anonymous Coward
    Anonymous Coward

    "We are not aware of any data misuse"

    IT@rotherwood: $ cat /var/log/auth.log

    lorem ipsum Itaque earum rerum hic tenetur a sapiente delectus, ut aut reiciendis voluptatibus maiores alias consequatur aut perferendis doloribus asperiores repellat…

  14. W.S.Gosset Silver badge

    OT: DNR is NOT your decision

    Just by the bye:

    > elderly patients' wishes not to be resuscitated

    UK people should be aware that while they may express a preference, the DNR decision and authority is solely the doctor's.

    To be clear: you can tell your doctors and hospital you wish to be resuscitated --even put it in writing-- it doesn't matter. Whatever the doctor feels like jotting on your chart, that's it.

  15. Mike 137 Silver badge

    "company’s website privacy policy consisted solely of lorem ipsum placeholder text"

    That's quite common - in our research sample about 2%.

    I guess web developers have taken on board the "need for a privacy policy" and stuffed it into their templates but the client doesn't give two hoots and forgets to provide one.

    The GDPR hasn't exactly failed, it's just not being used, but as it's effectively not policed nobody has noticed.

  16. Claverhouse Silver badge

    As You Were...

    Rotherwood Healthcare's online privacy policy. It can be read here.


    Your connection is not secure

    The owner of has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.

    Learn more…

    Report errors like this to help Mozilla identify and block malicious sites

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021