More NHS security flaws
Updated on 26 April 2007
Exclusive: after yesterday's revelations about security breaches on an NHS website, Channel 4 News finds yet more online NHS flaws.
For the second day in a row there has been a breach in the security on the MTAS computer system - used by 32,000 junior doctors to apply for training posts.
Channel 4 News has learned that it was possible to hack in to their personal application sites with remarkable ease.
All it took was a simple changing of a number on the URL. Personal messages and details could be found.
Initially we thought it was just MTAS applicants who have their own registration number who could do this.
Now we have learned that if an email was sent with the URL to anyone - not just an applicant - they could access the private sites without even logging in.
The details of how to hack in this were posted on a popular medical blogsite - the blogger then informed the health department late this afternoon and this serious flaw appeared to have been immediately fixed.
But just after five - the entire MTAS system was pulled down - it says here for planned essential maintenance - coincidentally just an hour after this latest breach was revealed.
And yesterday there was this - the personal details of medical students applying for foundation course posts open to anyone.
Home telephone numbers, their applications, even their sexual orientation, which as it happens should have been kept separate from their names as it is only needed for ensuring the employers are complying with equal rights legislation.
We believed the MTAS data breach happened over a number of hours. This was also what the health department said. We now know it happened on Monday and was not remedied until we told them yesterday afternoon.
Today, Ministers described this revelation as a malicious leak. The Information Commissioner's Office - the guardian of data protection - has now asked the health department for an explanation and said it was concerned such personal information had been publicly available.
Yet the health secretary Patricia Hewitt had also been warned about another security breach on 5 March by the British Orthopaedic Trainees Association.
"We have also had concerns about the security of the site with shortlisters reporting they could access deanery data and applications they had nothing to do with."
What's more we have learned that not only could people read the data base, but they could even make personal changes to it.
All this does raise serious data protection issues. And this morning, Mps questioned the head of the NHS IT system, Richard Granger about Connecting for Health - which will hold patient records.
But we have can tell you is that there has already been a data protection breach on Richard Granger's Connecting for Health system.
In February, a number of doctors attended a conference hosted by Connecting for Health.
For some reason their telephone numbers, their home addresses, their email addresses, their mobile numbers were put up on a connecting for health website.
A complaint was made. It took about two weeks to take them down but we've now discovered that they still exist on google.
Experts say this site could easily be locked. One doctor said she was shocked the details were still there.
Less than an hour ago, the health department finally admitted it had suspended the MTAS website not for 'planned maintenance work' - although that's what it still says on the system but because they were investigating our latest revelations.