NHS trust loses 18,000 staff details

Security firms have questioned the London trust's claim that the passwords of the missing, unencrypted CDs can only be cracked by 'expert hackers'

A London NHS hospital trust has admitted to losing almost 18,000 staff details on four CDs.

The payroll details were lost on 22 July while in transit between the salaries and wages department of Whittington Hospital NHS Trust and payroll company McKesson, where they were to be stored.

David Sloman, chief executive of the Whittington Hospital NHS Trust, said on Tuesday that a staff member had been suspended over the incident, as the discs had been placed in an out-tray in the post room marked 'recorded delivery', instead of being sent by courier.

"It is trust policy to send any such information by courier," said Sloman. "An investigation is underway, with an inquiry panel taking place shortly. In the meantime, a member of staff has been suspended."

The details lost on the 17,990 NHS staff included the names, dates of birth, national insurance numbers, start dates, pay details and sickness dates of all staff who have worked at Whittington Hospital NHS Trust, Camden Primary Care Trust (PCT), Islington PCT, and Camden and Islington NHS Foundation Trust since April 2001. Included in the lost data relating to the financial year 2007–08 were the addresses of 587 Whittington Hospital NHS Trust staff, 2,303 Camden and Islington NHS Foundation Trust, 1,458 Camden PCT staff, and 1,050 Islington PCT staff.

A hospital spokesperson told ZDNet.co.uk on Wednesday that personal bank-account details had not been lost, and that police had said the discs were "highly unlikely" to have been stolen. The trust said it did not know whether the discs had gone into the Royal Mail postal system.

The discs were not encrypted but were protected by alphanumeric passwords, which the trust insisted could only be broken by "expert hackers".

However, encryption companies questioned the trust's claims. Passwords are easy to crack, according to CryptoCard UK chief executive Jason Hart, even if they do contain a mixture of letters and numbers.

"There are a very large number of utilities that can brute-force passwords in a matter of seconds," Hart told ZDNet.co.uk on Tuesday. "Alphanumeric passwords do not make a difference. You do not need to be an expert to crack passwords; anyone who's IT literate can go onto the web, type 'password cracker' into a search program, and download a number of utilities and tools," said Hart.

Nick Lowe, Check Point's regional director for Northern Europe, said that passwords are "only a very basic step that can be overcome fairly easily by anyone with a little determination".

"With this type of data, in a high-risk environment, strong automated encryption is the minimum protection that should be applied," said Lowe.