E- Health Primary Care E-Health Europe E-Health Jobs (UK only) E-Health Insider Events
Welcome Guest | Login | Register | Why Register?
HOME | CONTACT | NEWS | DOCUMENT LIBRARY | FEATURES | OPINION & ANALYSIS | EVENTS | RESEARCH REPORTS | CASE STUDIES | POLLS | PODCASTS

Patient records found on drive sold on eBay

Tags: BT   Security  

26 Sep 2007

A hard drive of a trust computer containing patient data was sold using auction website eBay, with data improperly wiped. 

The trust has now launched an investigation into how the computer part was made available online. It is feared the hard disk may have been stolen from one of the trust’s hospitals. 

The drive belonged to the Dudley Group of Hospitals NHS Trust, which has a Private Finance Initiative deal with Siemens Medical Solutions to wipe data and dispose trust computers safely. Siemens subcontracts the disposal of obsolete equipment to Computer Disposals. 

However, unbeknown to the trust, Siemens and its contractor, the hard drive had not been completely wiped and was put on sale on auction website eBay.

A Siemens spokesperson said the computer from which the hard disk was taken was not part of the PFI contract with the trust, but the company is working alongside Dudley to ensure that procedures are in place to prevent this from happening again. 

The hardware was purchased from the website by BT, as part of a sponsored research project with the University of Glamorgan. Researchers from BT and the university were able to reuse the hard drive and access confidential details of cancer patients. 

The trust said in a statement: “There is an ongoing investigation into this incident involving very senior people and we are looking at possible loopholes in the system. There is no record of this machine going through the systems that Siemens has in place for disposing of equipment. We cannot have something like this happening again.” 

A new set of recommendations has been launched by the trust and Siemens to prevent data being left on disposed drives, and the trust and Siemens have changed the contract to include the use of a degausser to wipe hard drives using electromagnetic frequencies.

Trust chief executive Paul Farenden said: “All hard drives that leave the trust via this route are subjected to data wiping which meets the UK government’s standard of being over-written three times.”

Dr Andy Jones, head of security technology research at BT's Security Research Centre, said: “What's clear is that despite the publicity, nothing much has changed. All organisations lose equipment, but if they contain sensitive data they should look to using something like encryption to make sure it's better protected.”

Of the 133 disks the researchers obtained in the UK, which were all analysed using techniques which would be accessible to anyone, only 75 were working but the Glamorgan team found data on 62% of those - including company records, personal information, financial data and paedophile material which has resulted in a police investigation in Wales.

Dr Andrew Blyth, principal lecturer at Glamorgan's School of Computing, said: “We are still in a situation where over 50% of the disks contain sensitive corporate and personal data and a significant amount contained names, CVs, addresses and phone numbers. With some, the information was so detailed that they could have had their identities stolen.”

© 2007 E-HEALTH-MEDIA LTD. ALL RIGHTS RESERVED.

Readers Comments
Add a comment
Readers Comments

1

Free software

Neil.Bhatia@nhs.net

27 Sep 07 08:49

Totally unacceptable - especially as there is completely free software available (e.g. http://www.heidi.ie/eraser/) that will do the job for any hospital or GP practice.

2

Making mistakes is bad, but not realising the mistake that has been made is worse.

27 Sep 07 10:22

In the early days of hard drives, you could safely destroy all of the data on a hard drive by simply overwriting the data many times with random data. However, because the writing area for a byte on a modern hard drive is much smaller, variations in temperature means that the bytes get written in noticeable different locations. By slightly modifying the firmware of the drive (the controlling software) it is trivial for computer forensics people to recover data that has been 'overwritten'. This is routinely done by data recovery companies, and the modified firmware is publicly available. There have been incidents in the past where villains have broken into GP's surgeries, stolen patient information, and two prominent ladies received blackmail letters threatening to publicise abortions [Security in Clinical Information Systems – BMA, 1996]. Such cases undermine patient trust in the confidentiality of clinical information, and may cause patients to not give important information to clinical staff. The way to destroy data on a hard drive is to destroy the hard drive itself - simply put a nail through it, shattering the disk. The £5 gained by selling a second-hand hard drive isn't worth the cost in terms of patient confidentiality or patient care.

3

Lawyers will solve the problem...

27 Sep 07 16:15

New self encrypting hard drives are available from Seagate. the MOMENTUS FDE.2 drive natively encrypts/decrypts all read/write actions. The drive, in conjunction with Wave system's Trust Drive Manager also features an instantaneous cryptographyc key erase function effectively erasing the data within less that 1 (one) second.

The problems surrounding "Data at rest" issues has been going on for too long and most companies managing "Data at rest" issues are simply inept. And that includes, apparently, also Siemens in this case.

There will be class action law suits that will give CEOs sleepless nights. Can't come early enough...

4

Drives should not survive their NHS Lifetime

27 Sep 07 22:34

We still hear of computers being stolen and panic about data that is stored on them. There is plenty of software available to encrypt drives to protect data easily. Truecrypt works on all major Oses and uses well documented solid algorithms. Cryptsetup is also available FOC.

However when drives leave the NHS, it should be to their afterlife. No-one has yet retrieved data from a drive that I have destroyed in fire, which is where mine end up after I have finished with them. The NHS should do the same with our personal data.

5

- simply put a nail through it

nhstechie@btinternet.com

28 Sep 07 19:27

As well as ensuring the data can't be recovered, it is a great way to relieve tension. I thoroughly recommend this very therapeutic practice!

6

A free way

helenwilkinsonmakey@fastmail.fm

28 Sep 07 20:07

My teenage nephew wanted try Ubuntu Linux and installed it without defraging the hard disc or backing anything up. He did this on the family PC. My Sister wanted mad. I took to the PC to a friend an IT specialist (he works professionally in IT) who had to use specialist software to try to recover her files. He could not recover most of them. My IT friend nearly threw their PC out the window! He spent days trying to recover my Sisters files.

My Nephew lost all his GCSE Coursework too!

The answers simple download and install Ubuntu on top of a Windows Desktop! It will completely hose windows and wipe your hard disc clean!

7

CfH Approach needed?

29 Sep 07 10:31

Perhaps this is one instance where the CfH approach of "a big hammer" would be an advantage?

8

big hammer

05 Oct 07 09:36

I know of one NHS Trust that does actually possess a big hammer and uses it for this very purpose!

Search
News Features Jobs Newsletters
Most commented
Most commented
Most read
Most read
Tags
Tags
Top jobs
More
Top jobs

Featured_recruiters
Featured_recruiters
About Us | Advertise | Privacy Policy | Terms & Conditions | About RSS | RSS Feed
E-Health Insider is managed and maintained by E-Health-Media.com ©2009 E-Health-Media Limited.