Slashdot Mirror

← Back to Stories (view on slashdot.org)

NHS Fined After Computer Holding Patient Records Found On eBay

Posted by timothy on from the all-these-billing-addresses-are-identical dept.

judgecorp writes "NHS Surrey, part of Britain's health service, has been fined £200,000 when a computer holding more than 3000 patient records was found for sale on eBay. The system was retired, and given to a contractor who promised to dispose of it securely for free, in exchange for any salvage value... but clearly just put the whole system up for sale."

21 of 186 comments (clear)

  1. How does... by Anonymous Coward · · Score: 3, Insightful

    The government fine itself?

    1. Re:How does... by Joce640k · · Score: 4, Insightful

      They shouldn't be fining themselves, they should be jailing the person responsible for handing them to the "unnamed contractor" (who was probably a friend).

      --
      No sig today...
    2. Re: How does... by Joce640k · · Score: 4, Informative

      Because there was no actual "contract" requiring him to destroy them.

      That's the real problem in this case - no contract. It's all all in TFA (if you can be bothered with such trivia).

      --
      No sig today...
    3. Re:How does... by hairyfeet · · Score: 5, Insightful

      Actually as a PC repair guy who often does this very thing I say they should throw the contractor in jail, he is making us all look bad.

      I've done plenty of work for the city in the past and they know any donations they give to me will be wiped clean so they have no problem handing me desktops and laptops that are being replaced. Is there any records on them? probably but I wouldn't know as the first thing they get is a boot 'n nuke from me, the ONLY thing I don't wipe is the factory restore partition if it has one, everything else? Wiped before I ever mess with the system.

      So I'm all for throwing this asshole in jail because its jerks like this that end up causing systems to be disposed of via shotgun. In a dead economy there is plenty of folks hurting out there and these off-lease systems can be used to make sure anybody can have a PC, hell thanks to donations from the city I have a complete desktop system for $50 at the shop. Sure its not the fastest thing in the world but it surfs, burns DVDs, and when somebody needs a PC so their kid can look up info for school reports and they can look for a second job? A system like that can really make a difference. This is why I fricking HATE when assholes like this do dumb shit like just throwing it on eBay, he could have boot n' nuked and been done in no time, throw the lazy ass in jail.

      And if you work in a position that has getting rid of older systems as part of your duties? Don't dispose of via shotgun, talk to the local shop guys, talk to the local churches, there is usually a guy like me that is happy to refurb 'em for the poor folks and unlike this douchebag we're happy to do secure wiping on anything you hand us. There is nothing like the feeling of making a difference, just last week I donated a couple of systems to one of the local churches so they could expand their computer classes, they do a lot of work with abused women and teaching them basic computer and office skills helps them get a job and not be dependent on some wife beating scumbag. I wouldn't have been able to hand those systems over if they hadn't been donated to me, so ask around, those old P4s and Athlons may be junkers to you but it could make a difference to somebody else.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    4. Re:How does... by Joce640k · · Score: 2

      How hard can it be for a government to make a CD stick which you insert in a PC which boots up and wipes the hard drive?

      They could insert one in every PC before they remove it from the person's desk. It would take about ten minutes. If they're doing a roomful of PCs (as they mostly do) then by the time you got around to putting the CD in the last machine, the first one would be finished.

      --
      No sig today...
    5. Re:How does... by jellomizer · · Score: 3, Informative

      Simple, there are a bunch of ministries, departments, and divisions and other units all with a degree of autonomy, their own budgets, and other stuff.

      When you ask nearly any government employee of where do they work. They will not say I work for the Government. They will say I work in the Department of whatever...
      So if you fine a government agency the money leaves their budget and goes away from their department and to an other area. Leaving that department with less money budgeted towards what they need to do. As well it would effect their influence of getting additional funding for the next year.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    6. Re:How does... by beltsbear · · Score: 4, Insightful

      Agreed. I used to do the same, take in free donated systems and wipe them with dban or other zero writing software. It was easy and ensured the buyer got a clean system. The main reason why people destroy perfectly good machines out instead of giving them to someone like me (or charity) is fear of the type of behavior shown.

      And for god sakes, you do not need to DESTROY the hard drive. Zero writing is fine for anything not containing national security level secrets.

    7. Re: How does... by Joce640k · · Score: 2

      Ok, let's agree it more than 10 minutes. Now can you address the actual point...?

      (I should have known better than to put an actual number on slashdot...)

      --
      No sig today...
    8. Re: How does... by Joce640k · · Score: 2

      ... for sensitive data, more passes is standard.

      Somebody needs to question that standard. There's no credible evidence that data can be recovered after writing a single pass of random data.

      Even if there was any evidence (and let's be clear, there isn't...), if anybody wants to spend that much money trying to recover data from machines bought randomly on eBay they should be encouraged to do so. The sooner they go bankrupt, the better.

      --
      No sig today...
    9. Re:How does... by Kat+M. · · Score: 3, Informative

      First, the Information Commissioner's Office is an independent body, subject to supervision by the courts, not any ministry. It cannot and does not care (modulo human error) whether the responsible entity was a public or private body, except where the law distinguishes between them.

      Second, an NHS trust (which NHS Surrey is) is technically not part of the government, but a public sector corporation with separate auditing requirements and separate liability. Another example is that NHS trusts are also vicariously liable for malpractice by doctors and nurses they employ.

      While it is correct that in the end all the fines do come out of the UK's budget and go back into the UK's budget, separate liability arrangements allow for more fine-grained auditability and accountability. Fines may be budget neutral overall, but they still are highly undesirable for the sanctioned body, creating an incentive to avoid them.

    10. Re:How does... by julesh · · Score: 2

      No, but it is a motive for him to want to see criminal offenses prosecuted.

      But as nobody has suggested a criminal offence of which the contractor may be guilty, it hardly seems relevant.

    11. Re: How does... by Hognoxious · · Score: 2

      The reason given by the information commissioner's office, was that the NHS staff should have supervised the contractor and independently verified the destruction.

      Garbage. Is every air passenger expected to be an aeronautical engineer and supervise the construction of the plane so that the wings don't fall off?

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    12. Re:How does... by petermgreen · · Score: 2

      Afaict there are basically two real problems with overwriting.

      1: drives remap sectors that are detected as troublesome (often before they go completely unreadable). This makes it very hard to ensure that you really hit every sector with your overwrite pass. Some drives have a built in secure erase feature that should solve this but then you are relying on the drive vendor to have implemented it correctly.
      2: Even if you have decided that the risk from remapped sectors is tolerable you have to be EXTREMELY careful to make sure only successfully wiped drives get released and that drives which cannot be cleanly wiped get diverted to physical destruction.

      Even assming wiping carefully costs the same as physical destruction if a failure to wipe costs you $200000 and the value of a wiped hard drive is $20 then one leak in TEN THOUSAND drives processed is potentially enough to destory the benefits.

      --
      note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
    13. Re: How does... by hairyfeet · · Score: 2

      As a guy that has been doing this since the Shat sold Vics on TV I can tell you where that old wives tale came from and why it no longer applies. the very first drives used either RFM or MFM coding (been awhile) and the drives weren't very precise so it could slip a track and miss data, hence the multiwipe. that hasn't been true in 20 years though, with grooves so tiny and motors so precise no way a drive that isn't already dying is gonna miss a track,no way.

      --
      ACs don't waste your time replying, your posts are never seen by me.
  2. I wonder by ozduo4 · · Score: 5, Funny

    If prism will be selling their old computers too?

  3. Fines.. by Bert64 · · Score: 5, Insightful

    Fining the NHS is pointless, it only harms the NHS itself... Those responsible don't care because its not their money.
    They should fine the contractor instead, as it was his laziness/incompetence that caused this.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    1. Re:Fines.. by Fjandr · · Score: 3, Insightful

      While there was negligence on both parts, I definitely agree that the contractor should be penalized for failure to perform the promised service.

    2. Re:Fines.. by leathered · · Score: 3, Informative

      Look up Vicarious Liability, it's a tenet of Common Law.

      Too many MBAs believe that when you outsource, you are offloading responsibility. 'It was the contractor's fault, your honour' will not wash in any court of law.

      --
      For all intensive porpoises your a bunch of rediculous loosers
  4. A: Because it breaks the flow of a message by DNS-and-BIND · · Score: 5, Insightful

    Q: Why is starting a comment in the Subject: line incredibly irritating?

    --
    Shutting down free speech with violence isn't fighting fascism. It IS fascism!
  5. Should be fining the contractor, not the client by radio4fan · · Score: 4, Insightful

    I don't really get this. The NHS contracts out the disposal of the machines to a private contractor, who then royally screws up, and it's the fault of the NHS?

    Surely the responsibility lies with the contractor?

    FTA:

    “Should they [the contractor] be accountable? Definitely not, because NHS Surrey have been entrusted with the welfare of their patients. Should the contractor be responsible? Absolutely, yes,” Jones added.

    This seems to me an argument that the NHS cannot outsource or subcontract anything.

    What is NHS Surrey supposed to do in this scenario? Use in-house people to analyse the machines to make sure there is no data remaining before disposing of them?

    Or just keep data-disposal services in-house? Personally, I think this would be a great idea, but it goes against the dogmatic 'privatise absolutely everything possible' trend in the UK.

    “We should not have to tell organisations to think twice, before outsourcing vital services to companies who offer to work for free.”

    Except they didn't work for free: they worked for the salvage value. I can't really see how the low value of the contract proves fault.

  6. For some reason, I'm thinking of Dumbo. by Hognoxious · · Score: 2

    I wanna see a "CD stick".

    Coat [at least] one side with glue.

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."