back to article East Londoners nicked under Computer Misuse Act after NHS vaccine passport app sprouted clump of fake entries

British police have made a series of arrests over the past few months after people with apparent access to NHS databases allegedly sold fake vaccination status entries on the NHS vaccine passport app. This week the Metropolitan Police's Cyber Crime Unit declared it had arrested three men after an unidentified NHS trust " …

  1. midgepad Bronze badge

    GP patient data was enthusiastically moved out of Practices and into data centres run by the system suppliers a while ago.

    1. Pascal Monett Silver badge
      Coat

      Yes, but it was done with enthusiasm, so it's okay.

    2. Anonymous Coward
      Anonymous Coward

      > GP patient data was enthusiastically moved out of Practices and into data centres run by the system suppliers a while ago.

      Yes, EMIS even moved this GP patient data they held from their own data centre to AWS in 2019. Not sure whether SystemOne and INPS still host patient data themselves or if they also have moved to the cloud.

      Separate from this, my ongoing two ICO complaints about GP Practices (and other health orgs) sharing patient data unlawfully for the past 10.5 years might start to come to a conclusion shortly as the ICO case officer sent me an email yesterday to tell me two things - firstly that he is now in a position to give me an outcome regarding my 9.5 month old case against the central ALB (Arms Length Body) that is "managing" the sharing of patient data, and secondly that he's just gone on Xmas leave and will not be back in the office until 4th Jan at which point he will start to write the case outcome to send to me in early Jan... I'm still hoping that ICO might actually take some significant action but I'm also prepared to more realistically instead see ICO give them a mild "don't do that again" slap on the wrists and take basically no real action.

      Once ICO have sent some outcome for that in Jan then I expect they will shortly afterwards also deliver an outcome for the related 11 month old case against my GP Practice. Again I'm hoping for action but realistic that ICO are a waste of space.

      Relevant to midgepad's earlier comment, one aspect of my two complaints (against GP Practice & ALB) is that when I asked my GP Practice when did they instruct INPS (Data Processor for GP's patients records system) to integrate with the ALB's central system the Practice said that they *never* instructed INPS (yet the integration has been in place/active for 8.5 years) - which appears to indicate that INPS either acted upon the ALB's instructions to integrate with the central system or else INPS decided to do so themselves - neither of which would be lawful as the GP Practice is the sole Data Controller for their patients' records and a Data Processor can only lawfully act upon the Data Controller's instructions.

      1. Anonymous Coward
        Anonymous Coward

        I may be wrong, but I thought the contractual arrangement between NHS England the GP practice made NHS England a joint controller of the patient data - I have certainly seen reference to this before.

        1. Anonymous Coward
          Anonymous Coward

          Perhaps. However I'm not talking about NHS England - in my case it is HSC (NI), aka NHS Northern Ireland.

          If the NI central orgs were *already* Joint Controllers for the GP Practice records then there would have been no need/no point to create a Data Sharing Agreement for the system in question to define all the various HSC(NI) orgs as Controllers-in-Common (as they were from the start of the sharing) or Joint Controllers (as they have allegedly been since some undefined "recent" date) in order to share personal data from the GP Practices. My Practice have indicated they are the sole Controller for their patient's records and they also have indicated they never instructed INPS to integrate the Practice's records system with the central system (their words were "it just happened") so that indicates INPS as Processor acting without instruction from the Controller.

          "made NHS England a joint controller of the patient data - I have certainly seen reference to this before"

          If that's the case in England then your GP Practice's Privacy Notice would be required to state this (as part of the GDPR "transparency" requirements). Perhaps that is where you saw it mentioned?

  2. MichaelZWilliamson

    "ditched when it saw the passports would be useful for slowing the spread of harmful COVID-19 variants."

    Please provide any peer-reviewed evidence that vaccine passports have slowed the spread.

    Oh, there isn't any? Yes, we knew that.

    1. Robert Carnegie Silver badge

      In Scotland https://www.bbc.co.uk/news/uk-scotland-58422607

      "The passport was introduced as a way of allowing events to go ahead despite surging cases of Covid-19 and avoiding wider restrictions, while also encouraging the uptake of the vaccine in younger people."

      And vaccination is going pretty well in Scotland, so that part worked. Showing that the vaccine stops the virus spreading is trickier. Mainly it stops the virus from killing the vaccinated person, which is good, but some vaccinated people think they're completely safe, and they're not. So they could engage in risky behaviour like going to big public events...

      But to the extent that the vaccines do ward off the virus, the virus spread is slowed.

      1. Anonymous Coward
        Anonymous Coward

        Recent event in Newcastle, NSW, Australia. 650 people in a nightclub. One or more positive people enter the venue (which has mandatory double-vax policy under the prevailing rules at the time)....200 case result. Passports work do they?

        1. John Robson Silver badge

          Yes - they don’t need to be 100% effective to work. They just need to reduce spread.

          Can’t fix stupid, and it appears to be endemic

        2. Dan 55 Silver badge

          Yes, they do. Most of the people in ICUs now are unvaxxed and a vaccine passport reduces the number of unvaxxed catching Covid. That way it hopefully won't be as necessary to turn hospitals into giant Covid wards, as they were last time.

          1. anothercynic Silver badge

            Unfortunately, the NHS (regardless of country) is already ramping things back up in terms of COVID wards, if the NHS staff I follow are anything to go by because they are concerned that omicron will return things to where they were in April last year.

            Of course, whether it will remains to be seen, but I think the NHS would rather overreact and *not* be caught with their pants down, than just trundle along and have a repeat of April last year. It may be an illogical response in our eyes, but...

          2. Alan Brown Silver badge

            Most? Nearly all!

            "Most of the people in ICUs now are unvaxxed"

            More than "most". It's around 98%

            Vaccination works. It may not always stop you CATCHING Covid, but it sure as hell bolsters your defences if you do catch it

            I caught covid very early in the pandemic - before vaccines were avilable and before it was even realised as a pandemic. I had 3 MONTHS off work, have lost half my lung capacity, permanent hearing and eye damage and amd still dealing with other aftereffects nearly 2 years later

            If you want to roll those dice, that's fine, but why should anyone pay your medical expenses when a vaccination is cheap insurance? And are you willing to pay the medical expenses of anyone you infect?

            1. EnviableOne Silver badge

              Re: Most? Nearly all!

              this is the thing, the overwhelming majority of cases in ICU are Unvaxed and Delta,

              With omicron being less intense, but faster spreading, it's likely the issue won't be with ICU space, but GM beds

      2. Cederic Silver badge

        That'd be Scotland, that with a 'papers please' mandate ended up with higher infection rates than 'whatever' England?

        I'm far from convinced that this demonstrates the effectiveness of vaccine passports.

        1. Robert Carnegie Silver badge

          I'm only claiming that vaccine passport rules make people get vaccinated.

  3. steviebuk Silver badge

    Inside job

    So can they do them on this?

    "The Computer Misuse Act makes it a criminal offence to access a computer system without authorisation. "

    If they are internal and as part of their job have access. You can't do them for unauthorised access. They can just get fired for abusing their position.

    1. Contrex

      Re: Inside job

      "If they are internal and as part of their job have access. You can't do them for unauthorised access. They can just get fired for abusing their position." - employees are authorised to access a system for the purpose of carrying out their job. Just noodling around or personal use is not authorised. People at DVLA get sacked for looking up vehicles they are thinking of buying or which e.g. belong to someone they are curious about.

    2. rg287

      Re: Inside job

      If they are internal and as part of their job have access. You can't do them for unauthorised access. They can just get fired for abusing their position

      Yes. “Without authorisation” includes accessing for purposes not related to their work/role - their authorisation is conditional, and subject to the Acceptable Use Policy and professional standards.

      Same as Police snooping on their new neighbours or daughter’s new boyfriend.

      It’s actually more serious because it involves an abuse of trust, as opposed to straight black hat breaking-and-entering.

      1. anothercynic Silver badge

        Re: Inside job

        Absolutely spot on.

    3. Alan Brown Silver badge

      Re: Inside job

      "If they are internal and as part of their job have access. You can't do them for unauthorised access."

      Tell that to various police staff (sworn and civilian) regularly prosecuted under the CMA for noodling around in excess of their authorisation

      1. Contrex

        Re: Inside job

        7 Jan 2022 - a digital forensic specialist from Stafford, admitted misconduct in a public office last month after being sacked by Staffordshire police for gross misconduct. A police worker who illegally downloaded and took home thousands of images, including those showing murder victims and postmortems, has been jailed for three years. Darren Collins, a digital forensic specialist from Stafford, admitted misconduct in a public office last month after being sacked by Staffordshire police for gross misconduct.

        His brief said " He accepts and understands, with the benefit of hindsight, he should not have and was not permitted to look at other images beyond the parameters he had been given for his actual role."

        He worked for Staffs police for 18 years! In a digital forensic role! And he needed 'hindsight' to realise that?

  4. This post has been deleted by its author

  5. BenDwire Silver badge
    Pint

    The Yellow Advertiser

    Since when has the Yellow Advertiser been a source of news? I can remember it being shoved through the door of my Essex home back in the '80s (and possibly the '70s) as one of the two freebie papers of that era. I will admit to viewing its pages of listings, then buying and selling knackered cars as a student. It also had a secondary use to mask off bodywork from overspray.

    But to see it credited as a newsworthy source has really blown my mind. I need to take my medicine ->

    1. The Basis of everything is...
      FAIL

      Re: The Yellow Advertiser

      I thought it went bust some time around '86? My first job as a paper boy lasted 3 weeks before they went TITSUP (total inability to supply unwanted papers). And I've outlasted a few more employers since then, which doesn't look so good when you write it down. Hmm.

      (Apologies if you lived near a certain riverside place to be, the last 3 might have been me...)

      1. Gene Cash Silver badge

        Re: The Yellow Advertiser

        Could you get a job at Oracle, then, please?

        1. John Brown (no body) Silver badge
          Coat

          Re: The Yellow Advertiser

          He'd be better off joining the SystemD team :-)

          1. Doctor Syntax Silver badge

            Re: The Yellow Advertiser

            Multi-tasking would be a good thing.

  6. Anonymous Coward
    Anonymous Coward

    Insiders can be the biggest threat. Shows the importance of auditing your environment as well as hardening it.

    1. The Basis of everything is...

      I have heard it said, from a lawyer no less, that it is often far easier to obtain information with a large paper bag full of cash than with a roomful of hackers. When I asked him how he knew of such things he just smiled.

  7. cantankerous swineherd

    "I want to reassure the public that no systems were hacked into from outside of the NHS networks and the integrity of the NHS systems remains robust."

    1. having insiders abusing the system isn't reassuring.

    2. the integrity of NHS systems is obviously shot to smithereens.

    next.

  8. Conundrum1885

    NHS integrity

    Like the systems still running Windows 7 and thus vulnerable to log4j etc.

    For that matter, MSG got hit over here by a script kiddie level hack, that got into their email server and made off with

    essentially the entire patient email database.

    That £1.5M should be given back with the requirement it be spent on IT improvements IMHO.

    1. EnviableOne Silver badge

      Re: NHS integrity

      I think you'll find the NHS is now mostly up to date, unlike a lot of businesses I am aware of.

      90-95% of the NHS estate is on a supported version of Windows 10 and the majority of the remainder are on older builds of w10.

      Log4j has hit everyone, from FAAM down and unlike the Belgian MOD, the NHS (so far) hasn't been breached.

  9. martinusher Silver badge

    Why bother?

    Getting vaccinated is a lot easier and less trouble than trying to fiddle the system. You also have the advantage of being relatively immune to the virus.

    I know that there are people who insist on not getting vaccinated on principle. Since nearly all serious cases of Covid are now among unvaccinated you could say the problem is gradually fixing itself. Paying extra for a duff record might fool a few people but it won't fool the virus. (....and yes, I know the diehards insist that the virus -- even all viruses -- are a hoax but I haven't got time for that particular rabbit hole).

    1. Anonymous Coward
      Anonymous Coward

      Re: Why bother?

      Since nearly all serious cases of Covid are now among unvaccinated

      Identical case fatality rate in under 50s whether vaccinated or not (0.05%) - I count death as the ultimate "serious". Your statement has some validity in the elderly (who'd have thought old people are susceptible to respiratory infections?) but is provably false for others.

      https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1018547/Technical_Briefing_23_21_09_16.pdf

      1. Doctor Syntax Silver badge

        Re: Why bother?

        I looked at your reference.

        Let me direct your attention to Table 7 on p34. It lists vaccine effectiveness for 1. Infection, 2. Symptomatic disease, 3. Hospitalisation and 4. Mortality. Under those headings Pfizer-BioNTech and AstroZeneca respectively score 1. 75 to 85% and 60 to 70%, 2. 80 - 90% and 65 to 75%, 3. 95 to 99% and 90 to 99% and 4. 90 to 99% and 90 to 95%. Moderna has results listed for fewer categories: 2. 90 to 99% and 3. 95 to 99%. [1 to 4 are my numbers to represent rows in the table]

        In what way do you argue this table, from the report you cited, supports your contention?

        1. Anonymous Coward
          Anonymous Coward

          Re: Why bother?

          The death rate, as stated.

    2. Anonymous Coward
      Anonymous Coward

      Re: Why bother?

      It is pretty stupid, especially if you’re caught and sent to prison, which isn’t the safest place even when there isn’t a pandemic but are breeding grounds for the virus now.

    3. Pascal Monett Silver badge

      Re: Since nearly all serious cases of Covid are now among unvaccinated

      Go tell that to Gibraltar.

    4. Anonymous Coward
      Anonymous Coward

      Re: Why bother?

      "Since nearly all serious cases of Covid are now among unvaccinated"

      https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1041593/Vaccine-surveillance-report-week-50.pdf

      I will refer you to look at page 35, table 8 COVID-19 cases by vaccination status between week 46 and week 49 2021 then

      Table 9. COVID-19 cases presenting to emergency care (within 28 days of a positive specimen) resulting in an

      overnight inpatient admission by vaccination status between week 46 and week 49 2021

      Of the 8,235 admissions, 42% are unvaccinated and 55.88% are vaccinated (with 51.68% being double vaccinated).

      1. Richard 12 Silver badge

        Re: Why bother?

        Base rate fallacy.

        Good luck, sounds like you desperately need it.

      2. martinusher Silver badge

        Re: Why bother?

        I should have added "where I live" -- California

        This is a large state with a couple of densely populated areas in an otherwise sparsely populated rural state. The politics of the rural area is very similar to the Heartland -- put simply, there are many Trump followers and so a lot of people who don't believe in vaccination and so on -- while the urban areas have a lot of high skills people who tend to "follow the science". This sharp delineation tracks both vaccination rates and the disease itself, the correlation between the two that was first noticed last year.

        The response to Covid in the US was conditioned by the needs of the 2020 Presidential race. I have no idea why anyone would want to import this level of dysfunction into their countries.

        1. W.S.Gosset Silver badge

          Re: Why bother?

          > The response to Covid in the US was conditioned by the needs of the 2020 Presidential race.

          Actually, the USA Covid response was run by Pence, not Trump.

          1. veti Silver badge

            Re: Why bother?

            Yeah - nah. When the CinC tweets that governors who impose lockdown orders are tyrants and it's his followers' civic duty to resist them, violently if necessary - it's kinda hard not to see that as interfering with the response.

            As well as his other crimes, Trump also seems to be the world's worst line manager.

      3. Doctor Syntax Silver badge

        Re: Why bother?

        Take another look at the table.

        Look at the bit that says [These data should be interpreted with caution. See information below in footnote about the correct interpretation of these figures]

        So read the footnote. If you don't understand it then please don't try to read anything at all into the table because you're not understanding that either.

        Now look at Table 1 on p12 because that tells you unequivocally what you actually need to know. It's essentially the same table that I pointed out in a reply to another post (you again?) trying to make something out of another report.

  10. W.S.Gosset Silver badge
    Trollface

    oi, sexism!

    > Helen Rance

    If she were a MAN you'd have just said DS Helen is forthright in expressing her opinion.

    1. Anonymous Coward
      Anonymous Coward

      Re: oi, sexism!

      "If she were a MAN you'd have just said DS Helen is forthright in expressing her opinion"

      I would have thought HIS opinion in that case?

  11. DomDF

    Can we please call them by their correct name of "Covid Pass"? A passport is a blue book with the holder's photo in it and a polite message from the Government on the first page.

    1. EnviableOne Silver badge

      colour options

      depends on when you got yours and where you're from what colour they are:

      The US and the new UK ones are Blue, Irish ones are green, EU ones are red, there are a few Black ones, but most pick one of those...

      https://www.passportindex.org/byColor.php

      Technically the definition of Passport fits both purposes, so its purely a political distinction.

      https://www.merriam-webster.com/dictionary/passport

  12. Pen-y-gors

    What is a 'passport'

    This whole covid passport thing doesn't really worry me, as I have no interest in attending any venue where they might be required! I'll stay at home and only go out to the shops for food. I'm lucky - I work from home anyway.

    But do we need this mega-technical bureaucracy of apps etc? Surely the simplest starting point is showing your vaccination card(s)? I have two - one with the details of my first two jabs on, and the other with my booster. Issued by NHS Cymru. If they're worried about faking it, shove some holograms on the cards. Given that it's only a matter of managing risk, and Covid can pass around even in a room of fully-vaxed people, surely it's hardly critical if the odd un-vaxed dick-head sneaks in with some fake paperwork. Sometimes the simplest solutions are the best!

    1. Jellied Eel Silver badge

      Re: What is a 'passport'

      You need an app to try and justify spending £40bn and counting. People have a better sense of the cost of a card than a virtual one. IT is expensive, so £40bn seems reasonable.

    2. Richard 12 Silver badge

      Re: What is a 'passport'

      Many places have been requiring negative LFT or proof of vaccination before permitting entry for several months.

      Most are happy with the card. Been to one that asked for the NHS letter, but they didn't scan the barcode so rather pointless.

      Very likely that most places will still be happy with the card.

  13. Ace2 Silver badge

    Ugh

    -1 for “sprouting clump”

    At least I’ll save time today, not needing to eat lunch.

  14. Roland6 Silver badge

    Factually inaccurate

    "As that was happening, the NHS was also preparing to launch the "biggest data grab" in its history, moving GP patient data from their local surgeries to a central repository"

    It wasn't the NHS that initiated the data grab, it was the government through the ono-NHS company the Health and Social Care Information Centre akak NHS Digital.

  15. IceC0ld

    and the integrity of the NHS systems remains robust

    err, I have nothing

    apart from an extended TITSUP AND DOWN

    T - he

    I - ntegrity

    T - hat

    S - ystems

    U - sually

    P - refer

    A - nd

    N - eed

    D - oes

    D - epend

    O - n

    W - eak

    N - etworks

  16. Handlebars

    report seems circumspect

    No mention of if the suspects were in a tech firm, a hospital, a GP surgery.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like