NHS Choices in offensive passwords blunder

20 Nov 2007

More than 200 GP practices were sent offensive passwords for the Department of Health’s flagship website NHS Choices last week, five days before the second release of the site was due to be launched.

The error, which happened on November 14, was quickly identified and within two hours the NHS Choices team had contacted all 220 affected practices and issued new passwords.

The BMA’s General Practitioner Committee (GPC) told local medical committees that it recognised everything had been done to correct the problem but was concerned that it had been possible for the problem to arise and that the passwords may have caused offence or distress.

Dr Laurence Buckman, chairman of the GPC, told EHI Primary Care that he only found out about the error after it had been resolved.

He added: “The matter blew up and was sorted out in a couple of hours. Somebody made a mistake but they acted extremely promptly and I think we should give them credit for that.”

The problem is thought to have occurred when a computer program used to generate the passwords was not checked for potentially offensive word combinations that could be produced when two words were put together.

A spokesperson for NHS Choices told EHI Primary Care: “We are extremely concerned by what has happened and have launched an immediate inquiry. All those GP practices affected were contacted as soon as this was brought to our attention, and issued with a new password. We apologise unreservedly for any offence that may have been caused."

The second release of NHS Choices (www.nhs.uk) went live this week. GP practices can now update their own details on the site and are being encouraged to do so by the GPC after it was discovered that the first release contained some inaccurate and out-of-date information on practices.

The NHS Choices team says the second release also includes improved search and quicker navigation features, a Behind the Headlines news service, new directories on areas such as maternity, sexual health and weight loss and expanded directories of service.

Beverly Bryant, chief information officer for the Department of Health, told NHS staff earlier this month that the site currently attracts around 1.3 million visits a month and recorded a 15% increase in visits in October.

Expanded information on cancer and mental health services is due to be added to the site before the end of 2007 and in early 2008 the NHS Choices team says it plans to add prescription pathways and a series of personalised health tools designed to encourage users to pro-actively manage their own health.

Fiona Barr

Reader's Comments

Long-term data quality

21 Nov 07 10:11

This is a relatively minor embarassment. Of more concern is whether giving individual practices editing rights to the data will improve data quality or reduce it. On balance I'm inclined to think it will be the latter. If Choices couldn't get 152 PCTs to keep the information up-to-date, then I can't see them getting thousands of individual practices to do it.

Long term data quality

22 Nov 07 12:11

I disagree with the previous comment. If individual practices have the opportunity to check and easily edit information about thier services this can only serve to improve the information available. It certainly shouldn't make things worse. Trying to get up to date informtation from more centralised bodies tends to be more difficult, so it's no wonder the PCTs aren't coming up trumps.

Passwords based on dictionary words?

grant.forrest@nhs.net

27 Nov 07 17:11

"The problem is thought to have occurred when a computer program used to generate the passwords was not checked for potentially offensive word combinations that could be produced when two words were put together." Please correct me if I'm wrong, but I understood that using dictionary words to make passwords was bad practice. It increases the likelihood of a dctionary-attack guessing the correct password. Couldn't it generate random 8-character alphanumeric passwords like most self sign-up systems on the web?