AOH :: PT-1111.HTM

Hospitals demo-hacked -- over 1.2 million patient records retrieved

Hospitals demo-hacked -- over 1.2 million patient records retrieved
Hospitals demo-hacked -- over 1.2 million patient records retrieved

[Apologies for the dearth of Politech messages recently. I've been on 
vacation in Nova Scotia (and, next week, Prince Edward Island). I'm 
slowly catching up. --Declan]

-------- Original Message --------
Subject: Hospitals hacked - over 1.2 million patient records retrieved - 
risks of national EPR database
Date: Fri, 09 Sep 2005 16:46:49 +0200
From: Karin Spaink  
To: Declan McCullagh  

In a hack of two hospitals, computer security experts of ITSX
, Fox-IT  and Madison Gurkha 
 retrieved over 1.2 million electronic 
patient records, i.e. the medical records of 8% of the entire Dutch
population. The hospitals had agreed to the test on condition that
their names would not be revealed.

One of the hospitals involved has developed a regional electronic
patient database in which a number of hospitals and general
practioners co-operate and exchanmge information over the internet;
the other, an academic hospital, is a participant in the newly
developing national electronic patient database which will be
accessible for health care workers, also using the internet. The
experts could retrieve all information regarding these 1.2 million
people: insurance number, address, date of birth, length, weight,
illnesses, history of treatment, past and current medication, etc.
The experts were able to alter or delete this information (but of
course refrained from soing so).

The test was part of a new project of Dutch ISP XS4ALL, called 'The
Next Ten Years', a series of books dealing with the social aspects
of developing internet technologies. The first book, 'Medical
secrets', deals with the pros and cons of electronic patient records
(EPRs) and was written by TNTY-editor in chief Karin Spaink. She
also organised the hospital security tests.

A national system for EPRs will be implemented in the next years,
starting Januari 2006. There has not yet been any public debate
about EPRs, nor has there been a proper assessment of the risks of
making medical information available over the internet.

The Dutch minister of Health Hans Hoogervorst was questioned on the
matter a few days after the hack, and wrote it off to 'poor internal
procedures and administration', not to his lack of investment in a
solid infrastructure. Considering that all medical information is
stored unencrypted, that hospitals use uncompartimentalised database
systems (which allows all databases - and thus, all intruders - to
freely exchange information), and often only rely on firewalls
against outside invasion, developing a more robust system will only
be possible if serious financial commitments will be made. The Dutch
national institute that is supposed to guide the implementation of a
national EPR database, Nictiz, denied all responsibility too,
stating that 'the integrity and safety of medical data is not our
responsibility, but that of the health care institutions from which
they originate'. Nictiz failed to explain how a reliable structure
can be built upon unsafe building blocks.

- K -

We all know that good intentions are a perfect substitute for
    - de Bris on, Feb. 25 2003

Politech mailing list
Archived at 
Moderated by Declan McCullagh ( 

Make REAL money with your website!

The entire AOH site is optimized to look best in Firefox® 2.0 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an email address, please forward it with full headers to