An NHS hard drive that turned up on eBay was found to contain patient data despite having supposedly been wiped.
The Dudley Group of Hospitals NHS Trust claimed that it was unaware of how the hard drive containing details of cancer patients found its way onto the auction website, as it was supposed to have been overwritten by private contractors.
"There is an ongoing investigation into this incident involving very senior people and we are looking at possible loopholes in the system," said the trust in a statement.
"There is no record of this machine going through the systems that Siemens has in place for disposing of equipment. We cannot have something like this happening again."
A spokesman for the Trust said that it is trying to trace the route the drive took to eBay, which includes "the possibility of theft".
The discovery was made as part of a research project sponsored by BT, which aims to highlight the problem of personal data falling into the wrong hands.
BT buys hundreds of second-hand hard drives each year from different sources and passes them on to the University of Glamorgan. Researchers then search the drives to try and reconstruct the data.
The NHS Trust pays Siemens Medical Solutions to dispose of old IT systems under a Private Finance Initiative deal, and the work is sub-contracted to Computer Disposals.
Drives holding information should be overwritten at least three times to meet government standards.
The Trust and Siemens have now put forward recommendations to prevent confidential information being leaked in future.
A meeting of the Trust board is expected to authorise the use of a degausser to ensure that drives are wiped before they leave hospital premises.
Alongside the data from the hospital trust, the hard drive also contained financial information, company records, North Sea drilling information from Texas-based Marathon Oi, and paedophile material which has been handed to police.
Do you agree?
NHS Hard Drive "wipe"
The technical department of any business should know that "wiping" a hard drive does NOT clear the data from the drives sectors. In order to completely destroy data on a hard disk, the sectors which previously contained data need to be "over-written" so the information cannot be recovered. This is what our US cousins would describe as "tech-101", and I would describe as basic knowledge for anyone who purports to be an ICT technician! Yet another example of how universities and colleges hand out qualifications to people who are patently NOT qualified. So - what's new?
Posted by Thomas O'Doherty, 17 Sep 2007
Nuff said!!
Surely in this day and age with the technology available, and the cost of (second hand) drives, these items should be destroyed. Apparently, to be recycled, these drives are supposed to be over-written three times. What does that cost? I really can't see that it is economically viable to recycle them as useable. Crush or burn them, then sensitive data can't fall into the wrong hands!
Posted by Bob S., 17 Sep 2007