One of the recurring themes of the past few years in the UK is data lost by the public sector on USB drives, CDs and so on. The National Health Service seems to have been particularly prone to this sort of haemorrhage. So I wouldn't normally flag yet another such incident (at any rate, to an audience that doesn't primarily comprise UK readers), even though lost data relating to 1.6 million people shouldn't be regarded lightly.
But the incident has been marked by more-than-usually-hamfisted damage limitation. I did resist the temptation yesterday to quote The Register's subtle hint that it might be of little comfort to those 1.6 million people that the data were from 2002, since their dates of birth are unlikely to have changed, even if their names and addresses have.
Well, my address has changed several times since 2002, but unfortunately my name hasn't changed since the 1940s… More fortunately, I don't live anywhere near Kent and Medway, and never have.
However, today's Guardian article quotes Anne Sutton, the Trust's chief executive, as saying also that "information is now more secure following the implementation of encryption systems to replace the use of floppy discs* and CDs," and I'm afraid I have to protest. I think (I hope) I know what she means, but I wonder if Kent and Medway staff are also being instructed in the use of spreadsheets to remove viruses, or flashdrives to defragment hard disks? But it's a while since I checked out the latest versions of PGP: perhaps it now does all that as well…
Hat tip to Juha-Matti Laurio for drawing my attention to this story.
Let's hope that Kent and Medway's IT and Information Governance people understand the issues a little better than their boss seems to, if these quotes are correct.
*I know that not all NHS systems are state-of-the-art, but floppy disks??? Errr, discs???
David Harley CITP FBCS CISSP
ESET Senior Research Fellow
Author David Harley, We Live Security