Tag: website breach

NHS Trust faxed patient data to the wrong number for three months

A London Community Healthcare trust has been slapped with a fine of £90,000 after the Information Commissioner’s Office found it in serious breach of the Data Protection Act.

The watchdog, which had its website hacked last week amid accusations that it didn’t protect citizen’s privacy enough,  first became aware of the NHS Trust’s wrong doings back in March 2011.

This was after after patient lists from the Pembridge Palliative Care Unit, intended for St John’s Hospice, were faxed to the wrong recipient.

The patient lists were said to contain sensitive personal data relating to 59 individuals. This including medical diagnoses and information relating to their domestic situations and resuscitation instructions.

The individual informed the Trust in June that they had been receiving the patient lists, which consisted of around 45 faxes over a three month period. However, they claimed that to protect privacy, they had shredded them.

The ICO conducted an investigation that found the trust had failed to have sufficient checks in place to ensure sensitive information sent by fax was delivered to the correct recipient. It also barked at the trust for failing to provide robust data protection guidance, and training to the members of staff that had accidentally sent the faxes.  

Stephen Eckersley, the ICO’s Head of Enforcement, said that the fact that this information was sent to the wrong recipient for three months without anyone noticing made the case “all the more worrying”.   

"Inadequate" ICO hit by Anonymous

A group working under the banner of Anonymous has succeeded in bringing down the ICO’s website with a suspected DDoS attack.

The privacy watchdog’s site was down for all of yesterday after a group identifying with the  collective dealt its blow.

According to a Tumblr page, the team – calling itself Anon A Team – targeted the privacy watchdog because they believed it lacked independence and had repeatedly failed “to protect the public’s privacy from hacking or data protection breaches.”

It also claimed that the law protecting privacy was “inadequate and with disproportionate measures in relation to political protests but none for the civil service or media,” as well as a systematic bias in the way the press reports public interest stories – as a consequence of its failure to give sufficient weight to certain stories.

“There is zero commitment by all our regulators to protect UK citizens from data protection breaches,” it continued.

The group described the Leveson inquiry as a “farce”.

The sentiments were echoed in an interview at TechWeek Europe, where someone claiming to be affiliated with Anonymous said the watchdog was not “equipped, nor have the motivation to ensure that we are protected”.

The attack was met with mixed feelings by the security industry with many refusing to comment.

However, one security professional did speak with TechEye under anonymity. “Hackers are far cleverer than heads of states, government bodies and companies,” the source said. “No matter how much security is in place, if Anonymous wants to take you down, it will.

“Do I agree with this attack? They do have a point about privacy,” the source said.

The ICO itself refused to speak beyond issuing a generic statement:

“Access to the ICO website has been disrupted over the past few days. We believe this is due to a distributed denial of service attack. The website itself has not been damaged, but people have been unable to access it. We provide a public facing website which contains no sensitive information.

 “We regret this disruption to our service; however we are pleased that our website is now available.”