A hospital administrator who was sacked for using an NHS computer to download over 10,000 patient and employee records has been spared jailed.
Daniel Moonie, 27, had been cautioned by police after he accessed the Royal Stoke University Hospital’s computer network from home.
He and a fellow employee went on to gain further unauthorised access to the hospital’s database, downloading 600 staff-related documents, around 150 documents relating to management, and 8,895 images of cardiac tests.
Daniel Moonie (above) was sacked from Stoke-on-Trent’s main hospital after accessing the NHS computer system and downloading more than 10,000 confidential patient and employee records. The 27-year-old was initially handed a police caution for accessing its computer network at home. And months later it was discovered the defendant and another employee had gained further unauthorised access to the hospital’s computer
Moonie, of Waterlily Close, Etruria, admitted an offence under the Computer Misuse Act 1990 between August 1, 2016 and December 31, 2017.
He was spared jail, handed a 12-month community order which includes 160-hours unpaid work, and must pay £2,000 costs.
The other employee has resigned from Stoke-on-Trent’s main hospital.
Moonie accessed 600 staff-related documents, around 150 documents relating to management, and 8,895 images of cardiac tests from Royal Stoke University Hospital (above). He admitted an offence under the Computer Misuse Act 1990 and was spared jail
Judge David Fletcher told Moonie: ‘You are not lacking in intelligence. You clearly know your way around computers.
‘You need now to concentrate very hard on utilising the skills you have in going forward in a positive manner and not resort to this behaviour which could result in something that causes a massive blow to public confidence.’
Stoke-on-Trent Crown Court heard the defendant was employed as an administrator in the Royal Stoke’s heart and lung department.
He was dismissed, following an appeal.
Cyber-law: How the Computer Misuse Act 1990 came to be
As information technology shifted to computers and the digital sphere, legislators came to believe a tougher law with criminal offences would be necessary to deter hackers (stock image)
The Computer Misuse Act 1990 was introduced in partial response to the decision reached in R v Gold & Schifreen (1988).
Robert Schifreen and Stephen Gold were charged under the Forgery and Counterfeiting Act 1981 with defrauding BT after they gained unauthorised access to BT’s Prestel interactive viewdata service.
Tried at Southwark Crown Court, they were convicted on specimen charges and fined hundreds of pounds.
However, they were acquitted by the Lord Justice Lane after appealing to the Criminal Division of the Court of Appeal, citing a lack of sufficient evidence that both had sought to obtain material gain from their exploits.
In 1988, after the prosecution appealed, the Law Lords upheld the verdict, with Lord Justice Brandon claiming: ‘The Procrustean attempt to force these facts into the language of an Act not designed to fit them produced grave difficulties for both judge and jury which we would not wish to see repeated.’
‘The appellants’ conduct,’ he continued, ‘amounted in essence, as already stated, to dishonestly gaining access to the relevant Prestel data bank by a trick. That is not a criminal offence. If it is thought desirable to make it so, that is a matter for the legislature rather than the courts.’
The Law Lords’ ruling led many legal scholars to believe that hacking was not unlawful as the law then stood. Both the Scottish Law Commission (SLC) and the English Law Commission (ELC) resolved to review the matter.
Whereas the SLC concluded that intrusion was adequately covered in Scotland, the ELC believed that a new law was needed.
Based on the ELC’s recommendations, a bill was introduced, and the bill – which included criminal offences on the matter – came into effect in 1990.
Prosecutor Paul Spratt said: ‘He made an error in March 2017 and was cautioned for accessing the hospital computer by a home computer. He had, in truth, not obtained any material of a sensitive nature at that time.
‘The hospital’s head of cyber security undertook some administrative work on the main computer system in December 2017.
‘He found someone other than himself, or a registered person, had been able to gain access to the administrator rights of the computer when they should not have done. They achieved that by changing a password.’
Mr Spratt added: ‘The police searched the defendant’s home and found two disc drives. They were examined and contained 14 documents relating to Moonie and his disciplinary process which he would ordinarily not have had in that form.
‘There was also more than 600 staff-related documents and about 150 documents related to management matters.
‘There were 8,895 images of cardiac tests but they were unattributed. He used the computer to reveal information to him that he had no right to. He was misguided and motivated out of a desire that he was not carrying the can for another.’
West Midlands Crown Prosecution Service (CPS) has welcomed the sentence.
CPS official Jason Corden-Bowen said: ‘Moonie had no right to access the confidential patient and staff records. He admitted his earlier wrongdoing and accepted a police caution yet he went ahead to re-offend knowing full well it was not just against hospital procedures but it was wrong and illegal.
‘Moonie believed he had been unfairly treated and that he was not alone in his earlier hacking behaviour, so he used his computer skills to attack the hospital computer network causing a risk to the integrity of hospital systems.
‘He will now have to reflect on the impact and outcome of his behaviour.’
The Royal Stoke is run by the University Hospitals of North Midlands NHS Trust.
Director Mark Bostock said: ‘Concerns about Daniel Moonie’s activity were raised by a colleague and immediate action was taken to launch an internal investigation, involve the police, and notify the Information Commissioner’s Office (ICO).
‘The full extent of Mr Moonie’s activity has only come to light during the police investigation. We will now work with the police and the ICO to establish what, if any, action should now be taken in terms of notifying individual members of the public or staff about their data. We would like to reassure patients that there is no evidence of harm or risk to their care as a result.
‘Fortunately a case like this is extremely rare and the vast majority of our staff fully respect the privacy of their colleagues and our patients.
‘While Daniel Moonie must take full responsibility for his actions, as a trust we are sorry for any distress he has caused and are fully committed to doing everything we can to prevent a similar breach of security in the future.’