Junior doctors' confidential details openly displayed
27 Apr 2007
The Medical Training Application Service website will be the subject of a Department of Health investigation after an undercover reporter found that the private details of over 1,000 junior doctor applicants were available to view on the website.
Channel 4 News said that it logged onto a website provided to them by a doctor and found they had access to confidential information including doctors' addresses and telephone numbers, previous convictions, sexual orientation and religion.
According to the programme, the information was available from at least 9am to 5.05pm on Wednesday 25 April on a dedicated URL provided for selectors, the channel reported: “It appears that the information was downloaded onto Excel files and placed on an unsecured website that could be accessed by anyone through the internet.”
The Department of Health were informed at 4.35pm and had the URL blocked within half an hour.
In a statement, the DH said: “We apologise to any applicants whose details have been improperly accessed. This is a very serious matter and is under investigation.
“This URL was made available to a strictly-limited number of people making checks as part of the employment process. This information was never publicly available through the NHS Medical Training Application Service website and was only accessible for only a short period of time after details of the URL were leaked. The MTAS team fixed the problem as soon as it was brought to their attention.”
The BMA condemned the “appalling breach of students' confidentiality”. Dr Jo Hilborne, chairman of the BMA Junior Doctors Committee said: “What little faith anyone had left in this shambolic system has just evaporated. It is a breach of security on an appalling scale. The ease with which anyone could have accessed highly sensitive information about thousands of people is frankly shocking.
“The BMA has raised concerns about the security of the MTAS website on more than one occasion. The Department of Health had months to put it right and failed. There can be no excuse for this.”
Emily Rigby, chair of the BMA Medical Students Committee, added the security flaw added to the worries of the applicants, who are currently taking exams.
“Many of the people affected are currently taking their finals and this just adds to the stress they’re under. We’re incredibly concerned about the extent of the breach and the surrounding security issues. We demand a full and thorough investigation and to know what steps will be taken to assure this can never happen again.
“What has happened is appalling and it’s inexcusable. We raised concerns about online security for medical students’ applications last year after the system was hacked into. We were given explicit assurances it wouldn’t happen again. Despite improvements this year in the MTAS system for students there are still areas of concern and confidence is fragile. The breach has led to many students questioning the validity of the system.”
The latest failure adds to problems at MTAS which is supposed to handle applications for higher medical training, sifting them by a computer-based system to produce shortlists of candidates suitable for interview and follows the BMA’s recent warning that the NHS could lose thousands of doctors overseas due to the chaos in medical training.
The Liberal Democrats announced they have written to the Information Commissioner asking him to urgently investigate the release of sensitive personal data of junior doctors on a Government website.
Norman Lamb, health spokesperson for the party, wrote: “The lack of consideration for the security of personal data in this case seems to constitute a serious breach of the Data Protection Act. I am sure you will agree this is an extremely concerning situation. I therefore ask that you thoroughly and urgently investigate this matter.”
He added: “Are there any lessons to be learnt from this debacle in respect of the plans to establish a national database of patient records under the ‘Connecting for Health’ IT programme?”
The security flaw was mentioned in yesterday’s Health Select Committee meeting on the electronic patient record with the committee chair, Kevin Barron, MP, asking Richard Granger, director general of IT for the NHS if such incidents would increase concerns from the public about the security of their records.
Granger replied: “I can’t give a cast iron guarantee that things won’t go wrong, however compared to MTAS, our suppliers all have experience with security and we are introducing functionality incrementally, mitigating risks and examining any necessary changes before the next stages.”
Links
© 2007 E-HEALTH-MEDIA LTD. ALL RIGHTS RESERVED.
|
1 Mitigating risks27 Apr 07 09:45 And CfH have the audacity to berate doctors for "scaremongering" their patients into opting-out of the national medical database..... 2 Methods Consulting & Jobsite27 Apr 07 11:12 You need to update the article with yesterdays story about the wide open mail system. Given the apparent ignorance of the most basic principles of information security, is there not a case for Methods Consulting & Jobsite to be sent back to school? And Richard Granger's comments about the matter blew up in his face. 3 Scare Mongering27 Apr 07 11:18 Well, access to a URL on the web and accessing patient records in a database on a private network using accredited secure systems is the same . Right!. What has CFH got to do with a URL of DoH. 4 MTAS not NHS CFH27 Apr 07 11:52 MTAS wasn't developed by NHS CFH. If it had been, the CESG Check penetration testing that is mandatory for suppliers would have certainly picked this up. 5 CfH falling down on the job27 Apr 07 13:28 Watch the end of the Channel 4 report on the website with reference to the improper release of confidential data from the CfH website itself. And MTAS was supposed to have been accredited as well in addition to two OGC Gateway Reviews. 6 should selectors know the sexuality and religion of candidates?mary.hawking@nhs.net 27 Apr 07 20:11 One of the amazing things about this website appears to be the information included - and excluded! *Surely* the selectors are at risk of allowing bias to creep in - one of the alleged reasons for this method of selection, after all,- if they have access to sexuality and religion? I might be less shocked if qualifications and experience had not, reportedly, been excluded from the application process! Remember Tom Lehrer's song about the US Army - which forbade discrimination not only on the grounds of sex, race or religion, but also of ability... But I do agree - both the producers and commissioners of this site have questions to answer. 7 Simply shocking29 Apr 07 19:58 Just unbelievable that any modern organisation can hand out a simple url giving direct access to such confidential data - no need even to have a user id nor password. Presumably this also means no audit trail either ....... I had thought up to then that Methods had been getting the rough end of the stick as the supplier, with a very poor commissioning client. We now need to know who set the security specifications. I am also told that when Medical HR Deptartments were sent the needed contact information etc, that "all" the application information was on the Excel Spreadsheets - "too much information"? I think that the argument that a product of one part of the DoH is so poor at security then casts doubt on another is pretty potent. 8 Village talk30 Apr 07 18:28 One word going round the Westminster village is that the only reason CfH is being kept going is to give Gordon Brown the PR success of finally shutting it down and thereby demonstrating his commitment to common-sense government. |
comments
comment
a friend