Tag: data

HIV records from NHS trust accidentally sold on the web

The Information Commissioner’s Office has come down hard on the Brighton and Sussex University Hospitals NHS Trust.

The watchdog has slapped the trust with a Civil Monetary Penalty (CMP) of £325,000 following a serious breach of the Data Protection Act (DPA).

And security experts have said they are not surprised at the fine, which is the highest the ICO has issued since it was granted the power to issue CMPs in April 2010.

It follows the discovery of highly sensitive personal data belonging to tens of thousands of patients and staff, which was found on hard drives sold on an internet auction site in October and November 2010.

The ICO said some of the information was also related to HIV and Genito Urinary Medicine (GUM) patients as well as details of patients’ medical conditions and treatment, disability living allowance forms and children’s reports. It also included documents containing staff details such as National Insurance numbers, home addresses, ward and hospital IDs, as well as information referring to criminal convictions and suspected offences.

According to the ICO the data breach occurred when an individual was given the task of destroying the 1,000 hard drives held in a room accessed by key code at Brighton General Hospital in September and October 2010.

However, a data recovery company bought four hard drives from a seller on an internet auction site in December 2010, who had purchased them from the individual.

The ICO at the time was appeased with claims that these were the only four rogue disks. However, in April 2011 it was contacted by staff at a university, which advised them that one of their students had purchased hard drives via an internet auction site. An examination of the drives established that they contained data which belonged to the Trust.

The ICO said the trust had been unable to explain how the individual removed at least 252 of the approximate 1,000 hard drives they were supposed to destroy from the hospital during their five days on site.

It said they were not believed to have known the key code needed to access the room where the drives were stored, and were usually supervised by staff working for HIS. However, the Trust has acknowledged that the individual would have left the building for breaks, and that the hospital was publicly accessible.

Security and communications expert Chris McIntosh, CEO of ViaSat UK, told TechEye that the fine wasn’t a surprise.

“While previously focused against local government, the ICO’s penalty powers have come more and more to bear on the NHS in recent months,” McIntosh said.  “This isn’t too surprising: as one of the largest handlers of personal data in the UK, and given the sensitivity of much of that data, the NHS has had many more opportunities for such a catastrophic breach to occur.”

“At the same time,” McIntosh said, “a recent FOI request showed that the NHS was the most reported organisation in terms of lost data and hardware at 40 out of 108 cases nationwide in 2011 / 2012 and, more damningly, insecure disposal of data, responsible for more than twice as many cases as the entire private sector.” 

“With these statistics, a penalty of this magnitude was inevitable,” McIntosh continued. “Organisations need to learn from this and all of the ICO’s penalties: data must be encrypted and correctly destroyed, hardware must be kept under lock and key and contractors must be thoroughly vetted to ensure that standards are met.”

Last month the ICO issued a London Community Healthcare trust with a fine of £90,000 after it found it in serious breach of the Data Protection Act.

University aims to uncover value of personal data

London’s Queen Mary University is conducting reseach into how valuable people rate their own personal data.

In the research, volunteers are invited to install a free Android app on their phone.

The app will ask users some basic information about their background, then ask for more information daily over the next two weeks. Queen Mary says this will emulate the sort of information web companies are combing from their users every day.

Included questions will be intrusively private, but the sort of answers apps are able to take from user behaviour which is taken for granted: what you are doing, how you feel about what you are doing, where you are, who you are with, and how much the information would be worth to you. It’s no secret that this sort of information is given away for free, online, every day.

What this research actually will be worth to volunteers is the chance to win between £10 and £100 in Amazon vouchers through a prize draw.

Dr Bernadette Kamleitner, from the School of Business and Management, who is leading the study, said personal information is a huge and poorly regulated business. “Although consumers can benefit from the use of their information by receiving customised offers,” Kamleitner said, “aother’s also use individual’s data to make money”.

The University is hoping that that the test will help the researchers understand which data people think is more or less valuable to them. It will also show, the university said, whether people genuinely think personal information has no price.

To get involved, head to PrivacyValue.org.

London Olympics traffic problem solved: 'sleeping pods' at work

In this age of austerity, data centre services company, Interxion, thinks it has come up with an innovative way to beat the traffic when the Olympics tourists flood London this Summer.

While the champagne drinkers who occupy parliament suggested simply going out for dinner every single night until the Olympics are over, Interxion has a more pragmatic approach for workers. Instead of having to deal with the tedium of the tube or forking out for that wallet-sapping congestion charge, its engineers have been given access to temporary bedrooms: Japanese-style ‘sleeping pods’.

Forget BYOD, Interxion is pioneering Bring Your Own Bed.

File away troublesome employees in enormous filing cabinets as they sleep

 

Not only do the pods offer “comfort”, “privacy”, and “security”, the real dealbreaker is that they can keep staff on site 24/7. Saving potentially hundreds on Oyster top-ups and London Underground travel cards, workers will be able to clock off from a day’s work by climbing into their personal sleeping tubes and quietly nodding off to the relaxing hum of a busy data centre.

In this connected world, engineers can be on call at all times, but with the pods, they can avoid the hassle of going home and coming all the way back to work by kipping on the job.

No sex please, we’re wage slaves

Interxion’s UK managing director, Greg McCulloch, said in a statement: “Due to the nature of our business we need to be ready for all eventualities and while we are excited to have the Olympics in London we also need to be sure that we can continue to offer the highest level of resilience to our customers. The installation of the sleeping pods is another great example of Interxion putting resilience and uptime at the forefront of everything it does.”

Foxtons estimates these pods are renting for up to £1 million each during the Olympics

Perhaps we are being a little unfair to Interxion. A similarly sized studio flat in the area costs approximately £100,000, so it is sitting on some prime real estate. 

Interxion’s data centre, based just off trendy Brick Lane, is perfectly placed to local amenities with a Tesco’s Express and a Sainsbury’s Local in walking distance, along with plenty of  bars and only ten minutes walk to the buzzing nightlife of Shoreditch – and just five minutes away from the tourist friendly, famous curries of Banglatown.

IBM brings patient analysis to hospitals

IBM has announced the development of a biomedical data analysis system which it promises will boost efficiency by targeting healthcare to patients suffering from serious illnesses.

What Big Blue calls its Clinical Genomics analytics platform has been developed alongside an Italian medical research centre, and will leverage IBM’s data crunching powers to create personalised treatments for patients.

It will be possible to select the most effective treatment quickly by using the analysis platform to mull over information like clinical knowledge and guidelines, as well as past case analysis. This is correlated with the data available on the patient to give an idea of the best line of treatment.

For example, the system might look at family history, age, state of the disease, or whether your liver is too frequently doused with litres of vodka, before sending you under the knife.

This will mean quacks can quickly get an IBM-decided automated course of action.  While some might prefer to have an actual doctor make such decisions, IBM says there are efficiency benefits. The company reckons there is scope to help in the ongoing treatment of cancer management, or AIDS care.

For example, it could perhaps be possible to offer a number of treatment options to a doctor, with details of how different actions have fared in the past.

Essentially it is hoped that it will help “ease clinical decision-making”, and this could, of course, reduce costs. That would certainly chime with UK politicians intent on hacking the NHS to bits.

The amount of personal data stored in one place is always a risk, but IBM stresses that any info would be made anonymous by the removal of any personally identifiable information.

Top six computer outfits sign anti-spy accord

Six computer consumer computer companies have agreed to tell people whether they are snooping on you before you download applications.

The agreement forces Amazon, Apple, Google, Microsoft, RIM, and Hewlett-Packard to explain how they use private data before an app may be downloaded.

According to Reuters, the deal has been brokered by California’s Attorney General Kamala Harris  who appears to have twisted their arms until they agreed to common standards.

Harris said that users should not have to sacrifice personal privacy to use mobile apps.

More than two thirds of most downloaded apps do not have privacy notices, said Harris. Some downloaded apps also upload peoples’ contact book.

Google said in a statement that under the California agreement, Android users will have “even more ways to make informed decisions when it comes to their privacy.”

Apple confirmed it has signed up but did not give any details. Jobs’ Mob has been in a bit of hot water lately after it was discovered that an approved Apple add was more likely to steal data than one that had not.

The Attorney General has said that the State will sue under California’s unfair competition and false advertising laws if developers continue to publish apps without privacy notices. 

Verisign hacked

Network infrastructure company Verisign has admitted it was hacked throughout 2010 and has not got a clue what data has been pinched.

The firm told Reuters it “does not believe” the attacks breached servers that support the Domain Name System (DNS) but it could not rule it out.

Data stolen from Verisign’s DNS could allow attackers to intercept unencrypted communications and redirect traffic to malicious web sites. Verisign itself is keeping quiet about the hack and has only told its staff an “ugly, slim sliver of facts”.

The breaches were revealed in an October US Securities and Exchange Commission (SEC) filing required to be disclosed to investors under US law and were only uncovered when Reuters went through more than 2000 SEC filings looking for information on data breach risks.

Verisign security staff apparently reacted quickly to the attack but forgot to mention it to their bosses.

Symantec, which bought Verisign’s digital certificate arm in early 2010, said there was “no evidence” it was affected by the breach. 

Megaupload users to sue US government

Users of Megaupload who legally stored their data on the site are suing the US government for data theft.

The  US Department of Justice switched off Megaupload servers at the request of Big Content and they also cut of millions of legitimate users from their backed-up content.

To be fair, the DoJ had been told that the site was only being used by pirates to distribute illegal content and for some reason it forgot that it might actually be being used legitimately.

According to TorrentFreak  those users are fuming that the Government did not warn them to take their data off the site before they shut it down and they might have a point.

Ironically the legal campaign is being organised by the Pirates of Catalonia who are working with Pirate Parties International.

A posting on the Pirates of Catalonia Website said that the widespread damage caused by the sudden closure of Megaupload was unjustified and completely disproportionate to the aim intended.

It has created a form where users can register their complaints, and plans to “facilitate submission of complaints against the US authorities in as many countries as possible, to ensure a positive and just result.

At the moment it is not clear what legal action the group can take. The only specific statutes the Pirates of Catalonia mention are Articles 197 and 198 in the Spanish law which govern the misappropriation of personal data.

At the moment the group said that it is only investigating “potential breaches of law.”

What might stop them being successful is that Megaupload’s terms of service said that users who stored data on the site did so at their own risk. While that might have protected Megaupload from being sued, it could be used by the DoJ to say that legitimate users should have backed up anyway. 

Facebook turns over US data to politicians

Social not-working site Facebook is giving detailed personal data to the political research outfit Politico.

The partnership will mean that Politico will be able to compile sentiment analysis reports and voting-age user surveys.

Facebook’s US users’ private status messages and comments will be sent to Politico where they will be analysed for political content and spat out into stories like this one.

Both the social notworking site and Politico say the entire process is automated and no Facebook employees read the posts.

Each public and private comment that mentions a presidential candidate’s name will be fed through a sentiment analysis tool that spits out anonymised measures of the general US Facebook population.

It is similar to the way Google runs reports on search trends based on its users’ aggregate search activities.

How any personal post can be sufficiently anonymous is anyone’s guess but if you want to really stuff things up, write all your posts so that a machine is unable to work out your real meaning. Sticking the names of both rivals in equal numbers should annoy the bean counters. 

Sony hacked again (again)

Sony put over 90,000 accounts on lock-down following a data breach which may have left user’s personal information exposed, again.

Earlier this year, Sony was victim to one of the biggest hacks in history when it emerged every single user was at risk of having their personal details leaked. It was a major gaffe which hurt Sony, hard, however it appears this time the blow was softer.

An executive, Satoshi Fukuoka, confirmed that there was a large unauthorised effort to crack Sony’s servers between October 7 – 10, reports Bloomberg.  

Usernames and passwords were the target, hitting some 93,000 accounts in total – including 35,000 in the USA and 24,000 in Europe. However, credit card information appears untouched.

Fukuoka said there’s no need for alarm – saying that the account suspension was playing it safe, and actually affected accounts are probably a “small portion” of the blocked usernames. Overall, he said 0.1 percent of Sony’s online customers were hit.

Boss Howard Stringer avoided forcible hara-kiri on-stage at Sony’s HQ after the enormous attack earlier this year, so this one is likely just a drop in the ocean. 

RIM maintains silence over unfolding PR disaster

What’s happening over at RIM? Its users were dropped without explanation yesterday in the EMEA region, normally propped up by a data centre in Slough, before returning. Now BlackBerry users have had their online services disappear again.

RIM is maintaining an unhelpful silence. The operators are trying to tell users that it’s not their fault, and the problem is definitely with RIM.

It’s unknown if the outage has anything to do with an overhaul of the BlackBerry system, as RIM seeks to introduce new features. Either way, users can’t use any online services, including email or BBM, reports the Telegraph.

The Guardian’s Charles Arthur claims on his Twitter account that the issues stretch as far as South Africa. A service provider in Abu Dhabi, Etisalat also says there there have been “further interruptions”.

This kind of disaster is exactly what RIM doesn’t need right now. The ailing phone-maker has been trying to convince the world and its dog that it is both a competitor and a differentiator to Android and iOS devices.

There has allegedly been turmoil among the ranks at RIM about questionable leadership and so far the buy-out rumours, which have saved its stocks, have lead to nothing.

RIM’s major mistake so far is its policy of silence. Keeping users in the dark won’t help RIM’s cause and will just disenfranchise customers. A Twitter search reveals a long list of users complaining or claiming they plan to switch devices. 

While it appears to be a technical problem, what could be more ruinous for RIM is how it handles the unfolding PR disaster.

*EyeSee What did one Blackberry user say to the other? Nothing.  – @richardpfranks