Incident: NHS Surrey Data Breach Due to Improper Data Destruction

Published Date: 2013-08-19

Postmortem Analysis
Timeline 1. The software failure incident involving NHS Surrey losing sensitive information about 3,000 patients happened last month before the article was published on August 19, 2013. [20726]
System 1. Data destruction process at NHS Surrey 2. Lack of accredited erasure software or degausser for non-functioning computers at NHS Surrey 3. Failure to securely recycle computers at NHS Surrey 4. Lack of education and awareness about data erasure requirements at NHS Surrey 5. Failure of companies to properly erase data before discarding old computers or hard drives [20726]
Responsible Organization 1. The data destruction company charged with preparing the computers for recycling failed to properly destroy the records, leading to the software failure incident [20726].
Impacted Organization 1. NHS Surrey [20726]
Software Causes 1. Failure to use accredited erasure software or a degausser for secure data deletion [20726]
Non-software Causes 1. Failure to properly check that the data destruction company had destroyed the records before recycling the computers [20726] 2. Reliance on physical destruction (crushing hard drives) as a sufficient method of data erasure, which proved to be inadequate [20726] 3. Lack of education and awareness about secure data deletion requirements and methods [20726]
Impacts 1. The NHS Surrey was fined £200,000 by data regulators for failing to properly destroy sensitive information about 3,000 patients, leading to a breach of the Data Protection Act [20726]. 2. The incident resulted in public condemnation for the company charged with recycling the computers securely [20726]. 3. The breach was considered one of the worst data breaches by the Information Commissioner's Office (ICO) [20726]. 4. The incident highlighted the importance of education about data erasure requirements and the legal consequences of failing to securely delete data [20726].
Preventions 1. Properly checking and ensuring that the data destruction company had securely erased the records using accredited erasure software or a degausser could have prevented the incident [20726]. 2. Implementing legal requirements for secure data deletion and ensuring compliance within the organization could have helped prevent data breaches [20726]. 3. Utilizing reputable erasure software for functioning hardware to permanently wipe all traces of data and meet government data deletion standards could have mitigated the risk of data leaks [20726].
Fixes 1. Implementing accredited erasure software or using a degausser for non-functioning computers to ensure permanent data deletion [20726]. 2. Educating organizations about data erasure requirements and legal obligations for secure data deletion [20726]. 3. Utilizing reputable asset disposal services with certified engineers and security clearances for proper data destruction [20726].
References 1. Information Commissioner's Office (ICO) [20726] 2. Kroll Ontrack [20726]

Software Taxonomy of Faults

Category Option Rationale
Recurring multiple_organization (a) The software failure incident having happened again at one_organization: The article does not mention any specific incident of a similar nature happening again within the same organization (NHS Surrey) or with its products and services. Therefore, there is no evidence to suggest a recurring software failure incident within NHS Surrey. (b) The software failure incident having happened again at multiple_organization: The article mentions a study conducted by Kroll Ontrack on the methods companies use to erase data, revealing that less than half of the respondents made the effort to delete sensitive data from their old computers or hard drives. This indicates a common issue across multiple organizations where data erasure practices are not being followed adequately, leading to potential data breaches [20726].
Phase (Design/Operation) design, operation (a) The software failure incident related to the design phase in this case was the failure to properly check that the data destruction company had effectively destroyed the records on the NHS computers before recycling them. The data destruction company believed that crushing hard drives was sufficient to erase the data, but in reality, this method left the information relatively easily accessible. This failure in the design phase of ensuring secure data erasure led to a significant data breach and subsequent fine for NHS Surrey [20726]. (b) The software failure incident related to the operation phase was the failure to securely delete sensitive data from old computers or hard drives before they were discarded. The study conducted by Kroll Ontrack revealed that less than half of the respondents made the effort to delete sensitive data, leading to a high potential for data breaches when these intact computers are placed on the secondhand market. This failure in the operation phase of securely erasing data before disposal highlights the importance of proper data deletion processes to prevent breaches [20726].
Boundary (Internal/External) within_system, outside_system The software failure incident reported in Article 20726 can be categorized as both within_system and outside_system: (a) within_system: The failure within the system was primarily due to the lack of proper data destruction procedures within the NHS Surrey organization. The incident occurred because the data destruction company tasked with preparing the computers for recycling did not use accredited erasure software or proper methods to permanently erase the data. This internal oversight led to the sensitive information of 3,000 patients being easily accessible on the recycled computers [20726]. (b) outside_system: On the other hand, the failure was also influenced by factors outside the system, such as the lack of awareness and compliance with legal requirements for secure data deletion. Despite legal obligations in the UK for secure data erasure, the incident occurred due to a failure in educating and enforcing these requirements. Additionally, the breach was discovered by an ordinary member of the public who purchased one of the computers, indicating a lack of proper oversight and control over the disposal process [20726].
Nature (Human/Non-human) human_actions (a) The software failure incident in the NHS Surrey case was not due to non-human actions but rather due to human actions. The failure occurred because the hospital failed to ensure that the data destruction company properly destroyed the records before recycling the computers. The data destruction company mistakenly believed that crushing hard drives was sufficient to permanently erase the data, which led to the sensitive information being easily accessible on the computers sold to the public [20726].
Dimension (Hardware/Software) software (a) The software failure incident in the NHS Surrey case was not directly related to hardware failure. Instead, it was a result of a failure in the data destruction process when preparing computers for recycling. The data destruction company failed to properly destroy the records on the computers, leading to a breach of sensitive information [20726]. (b) The software failure incident in the NHS Surrey case was primarily due to contributing factors originating in software. The failure occurred because the data destruction company believed that simply crushing hard drives was enough to permanently erase the data on the NHS computers. However, this method was not sufficient, and deleted data could still be retrieved from damaged equipment or formatted volumes. Proper erasure software or a degausser should have been used to ensure data was permanently erased [20726].
Objective (Malicious/Non-malicious) non-malicious (a) The software failure incident reported in Article 20726 was non-malicious. The incident involved the NHS Surrey being fined for losing sensitive information about 3,000 patients due to a failure in the data destruction process. The hospital failed to ensure that the data destruction company properly destroyed the records, leading to the data being accessible on recycled computers. This failure was not due to malicious intent but rather a lack of proper procedures and oversight in data erasure [20726].
Intent (Poor/Accidental Decisions) poor_decisions The software failure incident reported in Article 20726 was primarily due to poor decisions rather than accidental decisions. The incident occurred because NHS Surrey failed to check that the data destruction company properly destroyed the records before recycling the computers. The data destruction company mistakenly believed that crushing hard drives was enough to permanently erase the data, which led to the sensitive information being easily accessible on the recycled computers. This failure was a result of poor decision-making in selecting the appropriate method for data erasure and disposal, highlighting the importance of proper data deletion processes to avoid breaches and legal consequences [20726].
Capability (Incompetence/Accidental) accidental (a) The software failure incident in Article 20726 was not directly related to development incompetence. It was primarily a case of data mishandling during the disposal process, where sensitive information about 3,000 patients was not properly erased from NHS computers before recycling. The failure stemmed from a lack of proper data erasure procedures and oversight rather than development incompetence. (b) The software failure incident in Article 20726 can be categorized as an accidental failure. The incident occurred because the data destruction company tasked with preparing the computers for recycling failed to properly destroy the records, leading to the exposure of sensitive patient information. This failure was accidental in nature, as it was not a deliberate act but rather a result of inadequate data erasure practices and oversight during the disposal process.
Duration permanent The software failure incident described in the article is more related to a permanent failure. The failure occurred due to a combination of factors such as the failure to properly check the data destruction process, the use of inadequate methods for data erasure, and the lack of proper education and compliance with data protection regulations. These factors contributed to a situation where sensitive data was easily accessible even after the computers were supposed to be recycled securely [20726].
Behaviour omission, other (a) crash: The incident reported in the article does not involve a crash of the software system. It is more related to a failure in data destruction processes leading to a data breach [20726]. (b) omission: The software failure incident can be attributed to an omission in the data destruction process. The hospital failed to check whether the data destruction company properly destroyed the records, leading to the sensitive information being passed on unintentionally [20726]. (c) timing: The timing of the incident is not a factor in this software failure. The issue lies in the improper data destruction process rather than the timing of any software functions [20726]. (d) value: The software failure incident does not involve a failure in the system performing its intended functions incorrectly. Instead, it is a failure in ensuring proper data destruction procedures were followed [20726]. (e) byzantine: The software failure incident does not exhibit characteristics of a byzantine failure where the system behaves erroneously with inconsistent responses and interactions. The failure is more related to a breach in data security protocols [20726]. (f) other: The behavior of the software failure incident can be categorized as a failure in data security protocols and data destruction processes, leading to a breach rather than a typical software malfunction [20726].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property (d) property: People's material goods, money, or data was impacted due to the software failure The software failure incident involving NHS Surrey resulted in the loss of sensitive information about 3,000 patients. The hospital failed to ensure that the data destruction company properly destroyed the records on the computers before recycling them. As a result, the data destruction company passed on data from the computers, believing that crushing hard drives was sufficient to erase the information. This failure led to a hefty fine for NHS Surrey and public condemnation for the company responsible for recycling the computers securely. Additionally, the breach was discovered by an ordinary member of the public who purchased one of the computers and found the data on their desktop, highlighting the ease with which the data could be accessed [20726].
Domain information, health (a) The failed system in the article was related to the information industry as it involved the loss of sensitive information about 3,000 patients from NHS Surrey [20726]. The incident highlighted the importance of secure data deletion and the risks associated with improper data disposal in the information industry.

Sources

Back to List