A former Royal Stoke Hospital worker has been spared jail, after hacking into over 10,000 patient and staff files.
Daniel Moonie, who worked at the hospital in an administrative capacity, used malicious software to crack the passwords of his co-workers to access the information.
When it was discovered the 27-year-old had gained unauthorised access to the hospital’s computer network in 2017, he was dismissed from his job and cautioned by police. Moonie agreed as part of the terms of the police caution that he would not:
- Access any IT system within the hospital
- Enter the hospital (unless a patient, visiting a patient or for HR reasons), and
- Contact staff unless at the request of the HR department.
However, after the caution, Moonie hacked the hospital’s computer systems again and he obtained and saved confidential material.
When he was arrested in December 2017, police discovered two hard drives at his Stoke-on-Trent home with files including jpeg images of cardiac tests on patients, sensitive patient records and confidential employee files.
He admitted his guilt at a hearing earlier this month to securing unauthorised access to the hospital’s computer data between August 2016 and July 2017.
Moonie has been handed a 12-month community order, told to complete 120 hours of unpaid work, and pay £2000 in costs.
Jason Corden-Bowen, of the CPS, said: “Moonie had no right to access confidential patient and staff records. He admitted his earlier wrongdoing and accepted a police caution yet he went ahead to reoffend knowing fully well it was not just against hospital procedures but it was wrong and illegal.
“Moonie believed he had been unfairly treated and that he was not alone in his earlier hacking behaviour, so he used his computer skills to attack the hospital computer network causing a risk to the integrity of hospital systems, the stolen data and a breach of trust in the NHS.
“He has been sentenced appropriately today and will now have to reflect on the impact and outcome of his behaviour.”
Mark Bostock, Director of IM&T at University Hospitals of North Midlands NHS Trust, said: “Concerns about Daniel Moonie’s activity were raised by a colleague and immediate action was taken to launch an internal investigation, involve the Police and notify the Information Commissioner’s Officer.
“The full extent of Mr Moonie’s activity has only come to light during the police investigation and now that the trial has concluded we will be working with the Police and the ICO to establish what, if any action should now be taken in terms of notifying individual members of the public or staff about their data. We would like to reassure patients that there is no evidence of harm or risk to their care as a result.
“Fortunately a case like this is extremely rare and the vast majority of our staff fully respect the privacy of their colleagues and our patients. Whilst Daniel Moonie must take full responsibility for his actions, as a Trust we are sorry for any distress that he has caused and are fully committed to doing everything we can to prevent a similar breach of security in the future. Since the time of these incidents in 2017, significant advances in cyber-defence technology have been made nationally and the Trust has also invested in this area, making this kind of activity much less likely to go undetected.”