According to the Yorkshire Post, the 22-year-old data quality manager was working for Hull Primary Care Trust (PCT) when he accessed patient records – all for women and mostly for his family, friends and colleagues.
John Fitzsimmons, director of performance, governance and informatics for NHS Hull, said in court that the manager's actions were a serious breach of trust. "Any breach of patient confidentiality is a serious matter and so in this particular case, we welcome the fact a successful criminal prosecution has been brought and that a custodial sentence is being considered", he said,
"It sends out a powerful message to NHS staff and the healthcare community about the importance of data protection," he added.
According to Fitzsimmons, the PCT hopes that the outcome, following a lengthy investigation, will go some way to reassure patients just how seriously we considered this breach of their trust to have been.
The NHS manager appeared at Hull Crown Court earlier this month and pleaded guilty to seven counts of breaching the Computer Misuse Act 1990 by accessing the medical records of patients without authority.
Amichai Shulman, Imperva's chief technology officer, said that, with such a large system with very sensitive information in it, you would have expected the NHS to have some sort of alert system which monitors access and alerts in real-time when company policy is violated.
"Just six months ago the NHS were exposed when it was found that as many as 140 000 non-medical staff, including porters and housekeepers, had access to sensitive NHS patient files. When there is a problem, a responsible organisation should be able to assess the scope of the damage", he said.
"These incidents raise the fact again that the biggest issue related to insider threat is excessive privileges and the abuse of these privileges", he added.
"The UK health industry needs to update its access controls. With such a large number of sensitive records, doing this manually is obviously a near-impossible task so they will have to automate their process of user rights management", he said.
"The system should be able to alert on an illogical access to a database by a user who should not be accessing the data", he added, noting that a good security system to defend against this type of data breach should:
- Automatically update business policies according to normal usage
- Remove excessive access controls to allow access only on a `business need-to-know' level.
- Detect abnormal behaviour.
- Issue alert on business policy violations
- Present a clear picture of what data was accessed, by whom and how was it accessed.