Cancer patient sues hospital after ransomware gang leaks her nude medical photos A cancer patient whose nude medical photos and records were posted online after they were stolen by a ransomware gang, has sued her healthcare provider for allowing the "preventable" and "seriously damaging" leak. The proposed class-action lawsuit stems from a February intrusion during which malware crew BlackCat (also known …
As if having cancer badly enough to need radiotherapy was not bad enough:
"her physical and email addresses, along with date of birth, social security number, health insurance provider, medical diagnosis and treatment information, and lab results were also likely stolen in the breach."
I though there was some general agreement amongst data thieves and ransomware users that medical facilities were off limits.
Utterly appalling.
Indeed- that stopped being a thing seven or eight years ago when hospitals and other healthcare systems turned into ripe, juicy targets because they rather pay their upper management a shit ton of money than things like harden their IT infrastructure, or hire enough staff (and pay said staff decently)
There might have been a gentleman's agreement back then, but not anymore.
nothing personal, it's just... business. I mean, you wouldn't expect a business NOT to enter into 'live-saving hardware' such as MLRS, etc, etc?! You wouldn't expect a country and its authorities that proclaim their values (etc, etc.) not to be involved in selling live-saving hardware so that lives can be saved in other parts of the globe, would you? What's the difference - from an ethical point of view?
Dear Anonymous Coward, I sincerely don't wish you to live in a country where one of the things preventing total genocide of your people is a good stock of MLRS. I hope you will reevaluate your position regarding the life-saving properties of these beautiful devices. With warm wishes from Ukraine.
Here's the thing about agreements, laws or any other governing rule in any group.
They are useless for prevention. They're only useful for blame after inevitable breakage.
They effect as a A magic dumbo feather , or comforting bedtime story to help people sleep at night and a weapon of accusation in hindsight but are largely useless to prevent anything in active life relative to an individual life.
More useful to historians and courts to classify and judge after the fact, then an effective safeguard.
Groups of humans still operate as individuals.
And in any group there will always be some percentage of individuals that will deviate.
I think that's just part of growing up in this world. Is realizing the rules will always be too late to save you except by fluke.
Nothing's guaranteed. So do your best and f*** the rest. It's all discovery.
Thankfully our government is keeping our personal data safe under hawkish eye of a certain corporation.
So don't worry, something like this will never happen.
And once we ban encryption and maths, we will be able to see what everyone is up to and we will catch anyone daring to touch our precious data before they do anything.
Your concerns about making a company the custodian of NHS patient data are understandable, but they really are the last of our worries. It's like smoking 40 a day for 50 years, then worrying you'll get cancer because of the cigar you puffed on at your 70th birthday do. Similarly, I wouldn't worry about the NHS in respect of our idiot lawmakers trying to break encryption - the NHS would have to use it properly first, and there is scant evidence for that!
Having worked extensively with NHS organisations on data, systems and infrastructure projects, I am intimately familiar with their typical approach to data security. For central gov and NHS digital platforms, the approach is OK(ish), but at regional and local levels it's like the wild west. The security at many large NHS trusts I've worked with is so egregiously bad it would take me hours to explain properly.
Two or three years ago I consulted for a large trust who were introducing a whole new clinical systems platform (where they store ALL sensitive patient data). This involved auditing their current setup, what we found was diabolical, but sadly not uncommon. A few findings:
Restricted access to medical records is required by police, social workers, courts etc. This trust gave out remote access accounts to this data like giving out sweets. When a new SW or cop needed access, they created an account (usually generically named, NOT named to a user!). These accounts were given remote access to the unrestricted clinical records for ALL patients. Once created, the accounts remained active and weren't monitored. They had been doing this for years and by the time I saw it, there were over 800 live accounts providing full remote access to ALL data for ALL patients. When I told them we had to disable these and give out new per-user creds with RBAC to data, they said it was impossible, because they had no idea who these accounts were used by and no way of contacting the users!!! They didn't even have email addresses, even for the rare examples that resembled a person's name! This is YOUR data people!
A network audit showed that on ALL clinical system servers SMB1 was running as a service, and accessible to anyone on the network. I could enumerate shares while unauthenticated. Worse still, where physical firewalls were used, SMB1 was allowed between ALL networks and hosts! This is exactly what Wannacry (which happened 3 years prior), and tons of other nasties, uses to spread.
Another beauty was that their Clinical databases were exposed to the internet using ODBC! This was to provide trust employees with the convenient facility of compiling patient data reports from home.
Honestly, I could keep going here....
Eventually, they agreed in principle that the aforementioned remote accounts would need to be expunged and recreated properly (although they still had no idea how to contact the users!!!). I strongly advised that all accounts on the new platform should implement 2FA. They said no - didn't want to inconvenience users (esp the precious doctors). I therefore insisted that ALL remote accounts enforce 2FA, they said no again. I told them, in that case I'm walking - this is a disaster waiting to happen and I want nothing to do with it. This was escalated all the way to the CEO of the trust! I had to attend a meeting of their board to convince them that paying 2 quid per user per month (and then only for external access) was a price worth paying to keep our private clinical data safe. At no point did I get any backing from their IT or 'security' teams.
I eventually got the CEO to agree to 2FA, but ethical obligations were not the decisive factor. Instead, I had to emphasise the embarrassment and professional / reputational impact a leak might have on individual board members! And again I had to reiterate that I would be walking after the meeting if they didn't relent (I really was ready to just go).
I have several stories like this, stories so bad that I wouldn't believe them if I hadn't seen things first hand.
The level of negligence, ignorance and disinterest in information security within the NHS is barely believable. The complacency and willful ignorance of those responsible is mind-blowing, and this is why you don't need to worry about a single commercial custodian for NHS data. I am convinced of the fact that ALL our clinical data is possessed by, or accessible to, any state-level bad-actor you can think of. There are likely hundreds of breached systems in the NHS, each of which the bad guys will have full control of. It would not surprise me in the slightest if these systems are being curated and managed as strategic assets, ready to be exploited when the time is right.
and instead, they happily continue as before. You just need to weather the storm, the little people will get their 5 sec dopamine hit from fuming on twitter and such, and then, move on, nothing to see here. Resilience, bro!
What would be nice -
Software that did not need an internet connection to stay working because of licensing
Software that is available for stand alone and not in the cloud.
- then we could unplug the damm critical things from the internet.
I have found that those that don’t spend the money on security get hacked first and go out of business. Those that do, survive a hack.
You did not write all the software you use, so you will be hacked at some point. Applied time and money depends on how bad it will be.
One day we'll hear "our data is so strongly encrypted and spread about that we could hand all our data out for free and it would be no good to anyone ".
Not during my lifetime.
Nor "I am so utterly ashamed at what we have allowed that I have sacked all the staff responsible for security of patient data and have resigned".
"Going to be an expensive pay out, better just settle out of court !"
Settling out of court is entirely possible. No one wants to be the one to lose in court and set a precedent. It happens all the time, sadly. There are certain court cases that really need to go ahead and the judge ought to refuse to accept the settlement terms.
"Ambulance chasers" are how issues like this get addressed in the US. We don't have a huge regulatory state to pursue companies for violations like this the way some other countries do. For better or for worse we've settled on doing it through the civil legal system.
> hospitals keep records on people even after those people are no longer being actively treated.
Yeahbut... only for so long. Maybe a decade. I had a thing in my gut, lots of scans and tests, knife and drugs, was better. And then 20 and 25 years later a different thing in the similar area, and my surgeon wanted to see what was in there and if it had been there all along. Could NOT get the old records. (True, this was days of film and fax, not compressed bits.)
Since then I have tried to get my records but the hospital is very reluctant to share. Maybe I need a ransomware gang.
In the US? You've got a right to your records: The Guide to Getting & Using Your Health Records
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
