Patricia Hewitt, Secretary of State for Health, has today made yet another statement — and another apology — in the Commons about the MTAS debacle.
She had already explained on Friday that there had been a breach of security on the MTAS website and that the site had been closed down pending investigation.
Candidates’ personal information had been loaded on to the site at about 8.30 am on Wednesday 25 April and the deaneries were notified of the relevant web page address for at 9.30 am.
“In making the information available to the deaneries, the MTAS contractor, Methods Consulting, failed to provide the usual and essential password security protection,” she said. Once Channel 4 News discovered the breach, they contacted the Department, and the loophole was closed.
Ms Hewitt said that during the time the web page was visible without a security password, information on foundation programme applicants was accessed from 21 different internet addresses, mostly belonging to postgraduate deaneries. Many of the other accesses in that time were from Channel 4 News, she said.
” There is no evidence that members of the public or other commercial interests, apart from staff at ITN and Channel 4 News, accessed the site,” she told MPs.
She said that Methods Consulting had taken action with its staff following the security breach. But she intended to pursue further action over Channel 4 News’ actions:
“We have already reported the situation to the Information Commissioner. I will also report it to Ofcom and draw it to the attention of the chairman of Channel 4 and ITN.”
She went on to explain that on Thursday 26 April, it emerged that applicants could randomly access another candidate’s messages on the messaging facility.
“In view of the two lapses, the IT contractor, Methods, immediately appointed an approved security company, MWR InfoSecurity, to carry out a full security review and penetration testing,” she said. “Some weaknesses were identified and MWR InfoSecurity has been working with the contractor to rectify them.”
She added that Communications Electronic Security Group, the national technical authority for information assurance, was also advising the Department.
“The MTAS site will be re-opened as soon as we have the necessary security assurances,” she said.
“I apologise again to junior doctors or foundation programme applicants who have been caused anxiety or, in some cases, inconvenience as a result. I will, of course, continue to keep the House informed of further developments.”
Conservative health spokesperson Andrew Lansley said he knew of 14 examples where junior doctors have gone on to the site to try to book interviews and had seen their preferences changed.
“They have seen interviews being booked for two weeks prior to their application; they have seen double interviews; they have seen their eligibility disappear; and they have been told that there are no vacancies, but when they have telephoned, they have been told that there are choices. The system is not working,” he said.
Meanwhile the BMA called for reassurances that no medical student had been affected by the breach and that it would not happen again. Dr Andrew Rowland, vice chair of the Junior Doctors Committee, said it was a disgrace: “We are not confident the evidence provided today is enough to say there is a cast iron guarantee that no members of the public accessed the site.”