[mseebach]

That's the problem with blame culture. It needs to be someones (emphasis ONE) fault, and then anyone else can breathe a sigh of relief and move on.

It's blatantly irresponsible that SSI even has the infrastructure to burn CDs with this information on it (it needs to live in heavily secured, jealously guarded and scrupulously audited (ideally airgapped) computer system). If they absolutely need this capability, it's blatantly irresponsible to let such a CD out of the care of trusted employees -- and if they absolutely need to post it, they need to heavily encrypt it.

It's not meaningfully "the post service's fault".

[Svip]

I apologise, that summary was inaccurate. But parent's wording seemed to indicate that the SSI had sent the letter to the wrong recipient when that was not the case. I wanted to clear that up.

The problem is that SSI sent the data unencrypted.

[kwhitefoot]

The problem was that they sent it at all.

[ams6110]

I hate to tell you this but such information is widely emailed around as excel spreadsheet attachments by unthinking people. I would virtually guarantee it happens every day.

[SoreGums]

This is how the US debt collection system works according to an article I read a couple of years ago...

[digi_owl]

Likely the capability exits for when someone moves to another part of the country, and the local doctor wants to check the new patient's medical history.

Note also that the data was meant for what i assume is the national statistics office. Likely for investigating changes in danish public health over recent years.

Unless by airgapped you mean to build a separate, free standing, network just for delivering medical records to doctor's offices around the nation.

[mseebach]

First, this is not about doctors exchanging patients' medical histories, it's about two central government offices exchanging everybody's medical histories.

Second, the fact that security is (really!) hard is not a valid argument against doing it.

Third, there's a huge difference between the appropriate levels of security around individual patients' medical histories, a single doctors office worth of patients' data, and then the collective medical histories for every single patient in the nation.

[DanBC]

> Third, there's a huge difference between the appropriate levels of security around individual patients' medical histories, a single doctors office worth of patients' data, and then the collective medical histories for every single patient in the nation.

Hang on: If you're extracting an individual's medical data and putting that on a USB stick you better make sure it's encrypted, and that there are audit trails in place for who extracted the data, when, and why, and where they put it.

[walshemj]

Yes if its everyone's data you have a senior member of staff drive over and deliver it by hand Denmark isn't a very large.

[Lawtonfogle]

That it is hard isn't an excuse. That the customers don't pay for security is. And by pay I mean not only the paycheck but also funding and giving prestige and power to doing so. Government IT security is often seen as a necessary evil and most troubles stem from that view.

If you buy a cheap knockoff don't complain when it turns out to not be as good.

[peteretep]

https://en.m.wikipedia.org/wiki/N3_(NHS)