NHS loses laptop holding 8m patient records
By Stewart Mitchell
Posted on 15 Jun 2011 at 11:38
The NHS has admitted losing a laptop packed with up to 8.6 million medical records in a large-scale data breach that went unreported for three weeks.
The breach stems from the loss of “a number of laptops” from a North London storeroom and is being investigated by the Information Commissioner's Office.
“NHS North Central London is investigating the loss of a number of laptops,” the health authority said. “One of the machines was used for analysing health needs, requiring access to elements of unnamed patient data.”
One of the machines was used for analysing health needs, requiring access to elements of unnamed patient data
The authority has given few details of the case, but a report in The Sun claims 20 laptops went missing and only eight have since been retrieved. Police were “dismayed" that the health authority had taken so long to report the issue.
A spokesperson for the NHS told PC Pro that it couldn't comment on what was on the remaining missing laptops because the investigation was ongoing.
The NHS stressed that patients were unnamed in the records, but with details including postcodes and gender, and information relating to cases including HIV, cancer and abortion, there are fears that individuals could be identified if security measures on the laptops were bypassed.
“All the laptops were password protected and our policy is to manually delete the data from laptops after the records have been processed,” the NHS statement said.
The ICO confirmed it was investigating the issue. “Any allegation that sensitive personal information has been compromised is concerning and we will now make enquiries to establish the full facts of this alleged data breach,” the watchdog said.
Is your business a social business? For helpful info and tips visit our hub.
No issue as the hard drive will probably have been encrypted.
If not, fire the I.T staff
By rhythm on 15 Jun 2011
Quote “All the laptops were password protected and our policy is to manually delete the data from laptops after the records have been processed,”
OK - so 30 seconds to remove the Password, another 30 seconds if you have to Google it to find out how this is done.
And a couple of minutes to run a 'undelete' program, as i doubt they securly deleted the info.
By my calculations, 10 minutes and all the data is yours to sell on to the highest bidder.
By andy_fogg on 15 Jun 2011
It would take longer than ten minutes... but not much longer. The crazy thing is, Windows password removal is so easy that it is almost a joke to have them! All versions of Windows use the same type of security encryption, so even Windows 7 isn't safe from one tried and tested piece of shareware that I have personally used to gain access to a PC that I had locked myself out of.
By Biephsi on 15 Jun 2011
As a previous NHS employee, our laptops all had full-disk (power-off) encryption, which was intended exactly for a situation like this.
Let's hope that this is still the case with so many IT departments being streamlined or decommissioned!
Of course even the most robust protection can be infiltrated, given time and knowledge, but this was our best solution for cost-effectiveness, productivity and protection.
By Techette on 15 Jun 2011
Storm in a teacup
"patients were unnamed in the records, but with details including postcodes and gender"
A postcode applies to about 5 houses, so the data's no use to anyone unless they're a) interested in healthcare statistics or b) a bored Sun reporter looking to sensationalise a story.
By nelviticus on 15 Jun 2011
10 min's is much longer than it takes to bypass a simple windows password.
30 seconds to boot a disc.
30 seconds to click a couple of buttons.
30 seconds to restart.
I would hope and imagine that they had at least a basic level of encryption on it though, their will be some trouble if it wasn't.
By Anonymouse on 15 Jun 2011
You don't need 3rd party tools to gain access to a passworded windows PC.
The sticky keys trick works perfectly every time and makes a complete mockery of windows authentication.
And @ NHS IT, "“All the laptops were password protected and our policy is to manually delete the data from laptops after the records have been processed,”
This to me rads like your relying on the end user to delete the data when finished..jokers
By DaChimp on 15 Jun 2011
The 'sticky keys hack' is more hassle to do than any 3rd party prog' i've ever used to do it.
Not that either are hard to do at all really, but it's less clicks using a tool.
By Anonymouse on 15 Jun 2011
Why is there ANY data stored on a mobile device..??
This seems CRAZY...!! It makes little difference as to how easy or hard it is to break into the laptop, because no matter how secure, it will always be cracked given enough time. What amuses me is that now the story is out, whoever took the laptop now knows that the data has value, and therefore worth the effort of breaking whatever "security" there is. There shouldn't be a single mobile device being used by any Government body that stores an individual's data locally, because by definition, the device cannot be secured from this kind of real-world attack. Stealing a terminal or thin client would obviously get you nowhere, as the data can be stored in a location which cannot be accessed very easily by a human. Time for someone in Government to wake up and smell the insanity..
By _Alex_ on 16 Jun 2011
It is not particularly difficult or expensive to make it very difficult for someone to gain unauthorised access to a PC - my experience of the NHS is that they do have access to, and use, such technology but the problem is that the organisation is so huge that putting in place the necessary governance procedures to ensure that staff use the correct technology and conform to the Information Governance rules is not properly managed. I agree with Alex however that personal data should not be stored on mobile devices unless unavoidable.
One caveat - the media love these stories and love to emphasise the negatives. Any data loss needs to be fully investigated but it is entirely unclear from this news story just how much risk to individuals this data loss has created.
By SteveH on 16 Jun 2011
All our work laptops have pre-boot encryption installed, so that if the device is lost, stolen, or misplaced any data is secure, even putting the disk as a second drive on a desktop machine won't help. 99.999% of people will give up when facing 256 bit AES encryption. Especially the sort of people that "find" missing laptops. It's the asset that's the easiest revenue stream, data would be a bonus.
By Stonedecroze on 16 Jun 2011
Yes, three factor pre-boot, full disk encryption. I posted this quite early on, so don't know why so many people are commenting about the ease of breaking windows authentification.
By Techette on 16 Jun 2011
@andy_fogg - you're assuming they've only used a BIOS or simple Windows password, and not something stronger like Windows 7 Ultimate's Bitlocker (which would encrypt the data). You're almost certainly right.
By flyingbadger on 16 Jun 2011
Why store data locally at all?
I said this when the "Two CD's" loss happened a couple of years ago - why store data in the least secure place at all (laptops, CD's, etc.), when having a remote login to a central Datastore is surely possible, and if they need to work on copies of databases, allocate remote disk space for that very purpose. A central Data/Login would be far more secure. Yes, it could be breached, but having everything in a 'Virtual Bomb-Proof Bunker' must be better than the 'Papers in the Wind' situation which seems to be the present system.
By Wilbert3 on 16 Jun 2011
None of it matters...
If the person who uses the laptop turns the encryption off.
Typing in a secure password countless times a day becomes very tedious.
By Anonymouse on 16 Jun 2011
Doesn't work like that.
Our (non NHS) machines have xfactor preboot with FDE. You can't turn it off, no matter how tedious bootup is, unless you're high up the IT admin chain, but then you'll have IS/IG imprinted on your brain and you'll be completely paranoid all the time anyway
By TheHonestTruth on 17 Jun 2011
Being a non NHS setup....
kind of makes your post redundant, as they may or may not work like that.
Just cos such a setup exists, doesn't mean that is what the NHS is using.
My post was qualified with the use of the word "if"... and it stands, if the user turns the encryption off that obviously implies they have the capability to do so.
Maybe you should have qualified your post with the word "always", so it read...
"Doesn't always work like that"
Then, while your post would still have been redundant, we could have at least been in complete agreement.
By Anonymouse on 17 Jun 2011
Its not as bad as it looks
Sure the fact that the data is potentially in the wrong hands is worrying BUT in most cases people who steal laptops want to flog them off at a knock off price or maybe reuse them.Its unlikely the data will be of any interest or value to whoever took the laptops chances are they want make a few pounds for the hardware.
By shebanti on 17 Jun 2011
They Should Be Sacked
....but of course that won't happen. It never does.
And, of course, the Information Commissioner's office will prosecute the organisation under the Data Protection Act so that we taxpayers end up paying the fine.
Stupid, stupid, stupid.
By jontym123 on 18 Jun 2011
My post was made to highlight Techette and Stonedecroze’s mentioning of having pre-boot security on their NHS machines (well, Stone didn’t actually specifically say NHS, but he clearly implied it) and the difficulties in circumventing it, as everyone was still banging on about simple windows passwords :)
As you say, perhaps not all Trusts will have this implemented, but those two aforementioned and some NHS friends all have pre-boot FDE in place, so it sounds fairly regular practice. My apologies if I did not make this clear!
By TheHonestTruth on 20 Jun 2011
- 20 years of PC Pro: our best covers
- Why we've closed the PC Pro forums
- How to turn off Google Location Tracking
- 20 years of PC Pro: our greatest review mistakes
- 20 years of PC Pro: our first A-List
- Wikipedia's "right to be forgotten" protest hits the wrong note
- 3D printing hits the high street for plastic selfies
- 20 years of PC Pro: What amazed us in our first issue
- How Google Glass ruined my lunch hour
- Smartphone battery packs: can a USB power pack beat the festival battery blues?
- How to write your company's IT security policy
- The key to choosing a secure password
- Please stop reposting fake Facebook messages
- Is Facebook safe for business?
- Don't rely on Chrome's password vault
- Facebook Graph Search: don't panic
- Gmail drafts and Pastebin: could they evade the email snoops?
- Applying for a job at GCHQ? Here's your plain-text password
- Google two-step verification: a must for business email
- Yes, I write down my passwords