Feeds

Roche exposes medical details on website

Testing times

Internet Security Threat Report 2014

The medical testing arm of pharmaceutical giant Roche has exposed the personal and medical details of UK customers on its website. The firm has admitted the security breach but has not explained how it happened.

Customers who had registered their details with Roche Diagnostics received the first edition of an email newsletter on Wednesday which included a link via which they could update their personal details.

Users who clicked on that link were directed to a Roche website which displayed the details of someone else.

"I saw the details of the same person several times, then it changed and I saw another person's details several times," said Tim Trent, a newsletter recipient who is also a marketing and privacy specialist. "In all I saw six other people's details."

Trent informed the people whose details he saw and the firm, having received the email on Wednesday morning. Roche spokeswoman Hazel Clarke said that the link was deactivated later that morning.

"We did have that issue this week, on Wednesday," said Clarke. "When we became aware of it we immediately acted to rectify the problem. It lasted for a number of minutes, maybe 90 minutes at most."

Clarke was unable to say how many people had had their details exposed or had seen the personal details of others. She did not say how the breach had happened or how many people the email was sent to.

"The main issue to do with details was stopped immediately and beyond that we need to ensure doesn't happen again, and that is what we are working on now," she said.

The email was in relation to the Accu-Chek range of diabetes testing products.

Trent said he had made a formal complaint to the Information Commissioner's Office. "Some of the details I could access showed that a person was on a particular kind of drug treatment, which isn't good news," said Trent. "Loads of people follow the exhortation to register with Roche Diagnostics, and probably even gave consent to email marketing. But we didn't give them consent to have their data records on public display."

Copyright © 2007, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.