The Medical Training Application Service website will be the subject of a Department of Health investigation after an undercover reporter found that the private details of over 1,000 junior doctor applicants were available to view on the website.
Channel 4 News said that it logged onto a website provided to them by a doctor and found they had access to confidential information including doctors’ addresses and telephone numbers, previous convictions, sexual orientation and religion.
According to the programme, the information was available from at least 9am to 5.05pm on Wednesday 25 April on a dedicated URL provided for selectors, the channel reported: “It appears that the information was downloaded onto Excel files and placed on an unsecured website that could be accessed by anyone through the internet.”
The Department of Health were informed at 4.35pm and had the URL blocked within half an hour.
In a statement, the DH said: “We apologise to any applicants whose details have been improperly accessed. This is a very serious matter and is under investigation.
“This URL was made available to a strictly-limited number of people making checks as part of the employment process. This information was never publicly available through the NHS Medical Training Application Service website and was only accessible for only a short period of time after details of the URL were leaked. The MTAS team fixed the problem as soon as it was brought to their attention.”
The BMA condemned the “appalling breach of students’ confidentiality”. Dr Jo Hilborne, chairman of the BMA Junior Doctors Committee said: “What little faith anyone had left in this shambolic system has just evaporated. It is a breach of security on an appalling scale. The ease with which anyone could have accessed highly sensitive information about thousands of people is frankly shocking.
“The BMA has raised concerns about the security of the MTAS website on more than one occasion. The Department of Health had months to put it right and failed. There can be no excuse for this.”
Emily Rigby, chair of the BMA Medical Students Committee, added the security flaw added to the worries of the applicants, who are currently taking exams.
“Many of the people affected are currently taking their finals and this just adds to the stress they’re under. We’re incredibly concerned about the extent of the breach and the surrounding security issues. We demand a full and thorough investigation and to know what steps will be taken to assure this can never happen again.
“What has happened is appalling and it’s inexcusable. We raised concerns about online security for medical students’ applications last year after the system was hacked into. We were given explicit assurances it wouldn’t happen again. Despite improvements this year in the MTAS system for students there are still areas of concern and confidence is fragile. The breach has led to many students questioning the validity of the system.”
The latest failure adds to problems at MTAS which is supposed to handle applications for higher medical training, sifting them by a computer-based system to produce shortlists of candidates suitable for interview and follows the BMA’s recent warning that the NHS could lose thousands of doctors overseas due to the chaos in medical training.
The Liberal Democrats announced they have written to the Information Commissioner asking him to urgently investigate the release of sensitive personal data of junior doctors on a Government website.
Norman Lamb, health spokesperson for the party, wrote: “The lack of consideration for the security of personal data in this case seems to constitute a serious breach of the Data Protection Act. I am sure you will agree this is an extremely concerning situation. I therefore ask that you thoroughly and urgently investigate this matter.”
He added: “Are there any lessons to be learnt from this debacle in respect of the plans to establish a national database of patient records under the ‘Connecting for Health’ IT programme?”
The security flaw was mentioned in yesterday’s Health Select Committee meeting on the electronic patient record with the committee chair, Kevin Barron, MP, asking Richard Granger, director general of IT for the NHS if such incidents would increase concerns from the public about the security of their records.
Granger replied: “I can’t give a cast iron guarantee that things won’t go wrong, however compared to MTAS, our suppliers all have experience with security and we are introducing functionality incrementally, mitigating risks and examining any necessary changes before the next stages.”
Links