NHS Number

Mark Cottle ukcrypto at airburst.co.uk
Thu Jan 13 14:11:10 GMT 2011

To return to the original issue again, I would add to Ross Anderson's 
list a third problem.

(3) Possession of any information about an individual is potentially 
useful to a miscreant seeking to use social engineering to access 
further information or perpetrate fraud. 

Discussions about personal information (such as that about NI 
numbers) often seem to concentrate on questions about when and where 
information is strictly or technically required for particular 
purposes. I also think there is a terrible tendency for people to 
make assumptions that if policy or law is set in place to specify 
that particular information operations require use of particular 
pieces of data or exclusion of other pieces or data then that is how 
things will work in practice. It seems to me the real world very 
often works on the principles of misunderstanding, expediency, 
laziness and general cock-up. 

So I can easily envisage a situation where a miscreant is trying to 
access, for example, medical or financial records but does not 
possess the credentials or information that's strictly required in 
such cases. Imagine the attempt occurs in a phone call to a typical 
overworked, underpaid, unimaginative administrative employee who's 
had typically dull formulaic training. The admin employee asks for 
what they've been trained to request. "Ah", says our miscreant, 
"there's been some confusion. You're asking for X and they've only 
given me Y. We're under a bit of pressure so it's going to be a 
nightmare if I have to go back and get it. I do have an (NHS or NI) 
number if that's any help". And thus the miscreant plants in the 
admin employee's mind the impression they have some sort of access 
privileges of an official nature and can thus be trusted with an 
(apparently) minor breach of protocol. Furthermore, any piece of data 
acquired through such an exchange could be an additional means to 
leverage further access in subsequent attempts.

OK, that's a clumsy simplified example, but it illustrates events 
that happen in the real world. I'm pretty certain it's widely 
practised in certain quarters of the journalism business. 

So, even if an NHS number did not technically give access to very 
much, it would still be a matter of concern if they were obtainable 
by the wrong people. Given that it *does* seem to be a key to other 
data it seems especially worrying.


On 8 Jan 2011 at 10:48, Ross Anderson wrote:

> > Going back to the main issue - is the ability to get hold of
> > someone else's NHS number any sort of problem?
> (1) "De-identified" databases of med records used in research often
> have the NHS number even if name and address have been removed
> (2) The PDS system which people use to look up your NHS number lets
> users find anyone in the country, including ex-directory numbers; it
> has an audit trail showing all the health organisations you've dealt
> with. If you're a celeb who's an outpatient at the Maudsley, that
> could be bad news.

More information about the ukcrypto mailing list