Dudley Group of Hospitals NHS Patient Data For Sale on eBay
Technorati Tag: Security Breach
Date Reported:
9/12/07
Organization:
Dudley Group of Hospitals NHS (UK)*
*This is the first named breach from the University of Glamorgan study mentioned earlier on The Breach Blog.
Contractor/Consultant:
None (possibly Siemens Medical and Computer Disposals)
Victims:
Dudley Group of Hospitals NHS patients
Number Affected:
Unknown
Types of Data:
"confidential information on patients"
Breach Description:
One of the hard drives bought by University of Glamorgan for research was found to have confidential Dudley Group of Hospitals NHS patient data on it. The hard drive was purchased on eBay.
Reference URL:
http://www.computerworlduk.com/management/security/data-control/news/index.cfm?newsid=5148
http://www.guardian.co.uk/technology/2007/sep/13/guardianweeklytechnologysection.news2
Report Credit:
University of Glamorgan
Response:
From the online resources mentioned above:
"An NHS hospital is trying to establish how a hard drive containing confidential information on patients was sold on eBay. "
"Researchers examined the drive – which was owned by the trust before appearing on the auction website - and were able to recover the confidential information."
"The trust has outsourced its IT services to Siemens Medical under the terms of a private finance initiative contract, while Siemens in turn subcontracts the disposal of obsolete equipment to Computer Disposals."
"Trust chief executive Paul Farenden said: “All hard drives that leave the trust via this route are subjected to data wiping which meets the UK government’s standard of being over-written three times.”
[Comfyllama] The mystery is how did this drive not go through the approved disposal process and end up on eBay?
“Unfortunately an investigation into how this particular hard drive has been openly purchased has not been able to identify the route at this stage, and the trust is continuing with its efforts to identify the source including the possibility of theft,” Farenden said.
"He added that Glamorgan University had securely wiped the data and assured the trust that it had not been disclosed by their researchers."
"The trust and Siemens had carried out an internal investigation and developed a set of recommendations to prevent data from being left on disposed hard drives in future, Farenden added."
[Comfyllama] This is good. It sounds like the trust and Siemens already had a pretty good process in place and this hard still drive slipped through.
"Recommendations, which will be put to the trust board, include a review and tightening of IT equipment disposal policies, a change to the contract between the NHS organisation and Siemens covering responsibility for disposal, and the purchase of a degausser to ensure that hard drives are wiped before they leave hospital premises."
[Comfyllama] As security pertains to secure hard drive disposal, this sounds like a good start.
Commentary:
This problem is more pervasive than people know. As of this writing there are 586 hard drive lots for sale on eBay. Are you as curious as I am to know how many of these drives have sensitive information? According to the University of Glamorgan study, 62% of these drives will contain sensitive data. Have a hard drive destruction party and take some sledge hammers and big magnets to work.
This is the first named breach from the University of Glamorgan study mentioned earlier on The Breach Blog.
Past Breaches:
May, 2007 - Stolen NHS Laptop Contains Sensitive Payroll Data
March, 2007 - Stolen NHS Laptop Contains Sensitive Child Patient Data
Date Reported:
9/12/07Organization:
Dudley Group of Hospitals NHS (UK)*
*This is the first named breach from the University of Glamorgan study mentioned earlier on The Breach Blog.
Contractor/Consultant:
None (possibly Siemens Medical and Computer Disposals)
Victims:
Dudley Group of Hospitals NHS patients
Number Affected:
Unknown
Types of Data:
"confidential information on patients"
Breach Description:
One of the hard drives bought by University of Glamorgan for research was found to have confidential Dudley Group of Hospitals NHS patient data on it. The hard drive was purchased on eBay.
Reference URL:
http://www.computerworlduk.com/management/security/data-control/news/index.cfm?newsid=5148
http://www.guardian.co.uk/technology/2007/sep/13/guardianweeklytechnologysection.news2
Report Credit:
University of Glamorgan
Response:
From the online resources mentioned above:
"An NHS hospital is trying to establish how a hard drive containing confidential information on patients was sold on eBay. "
"Researchers examined the drive – which was owned by the trust before appearing on the auction website - and were able to recover the confidential information."
"The trust has outsourced its IT services to Siemens Medical under the terms of a private finance initiative contract, while Siemens in turn subcontracts the disposal of obsolete equipment to Computer Disposals."
"Trust chief executive Paul Farenden said: “All hard drives that leave the trust via this route are subjected to data wiping which meets the UK government’s standard of being over-written three times.”
[Comfyllama] The mystery is how did this drive not go through the approved disposal process and end up on eBay?
“Unfortunately an investigation into how this particular hard drive has been openly purchased has not been able to identify the route at this stage, and the trust is continuing with its efforts to identify the source including the possibility of theft,” Farenden said.
"He added that Glamorgan University had securely wiped the data and assured the trust that it had not been disclosed by their researchers."
"The trust and Siemens had carried out an internal investigation and developed a set of recommendations to prevent data from being left on disposed hard drives in future, Farenden added."
[Comfyllama] This is good. It sounds like the trust and Siemens already had a pretty good process in place and this hard still drive slipped through.
"Recommendations, which will be put to the trust board, include a review and tightening of IT equipment disposal policies, a change to the contract between the NHS organisation and Siemens covering responsibility for disposal, and the purchase of a degausser to ensure that hard drives are wiped before they leave hospital premises."
[Comfyllama] As security pertains to secure hard drive disposal, this sounds like a good start.
Commentary:
This problem is more pervasive than people know. As of this writing there are 586 hard drive lots for sale on eBay. Are you as curious as I am to know how many of these drives have sensitive information? According to the University of Glamorgan study, 62% of these drives will contain sensitive data. Have a hard drive destruction party and take some sledge hammers and big magnets to work.
This is the first named breach from the University of Glamorgan study mentioned earlier on The Breach Blog.
Past Breaches:
May, 2007 - Stolen NHS Laptop Contains Sensitive Payroll Data
March, 2007 - Stolen NHS Laptop Contains Sensitive Child Patient Data
Posted by Evan Francen at 9/16/2007 10:12 PM 
Categories: NHS Trust, Dudley Group of Hospitals, Insecure Discard
Categories: NHS Trust, Dudley Group of Hospitals, Insecure Discard
Posts Atom 1.0
Comments