UPDATE: Community order for man who stole over 10,000 records from Royal Stoke Hospital

|News, Cyber / online crime

A former Royal Stoke Hospital employee, who used the hospital’s computer system to download over 10,000 confidential information including patient and employee records, has been given a 12-month community order.

Daniel Mooney, 27, from Stoke-on-Trent, was sentenced today (Thursday 16 January) at Stoke-on-Trent Crown Court for securing unauthorised access to the hospital’s computer data between August 2016 and July 2017. He was also ordered to complete 120 hours of unpaid work and pay £2000 costs.

Mooney, who worked at the hospital in an administrative capacity from 2011 until his dismissal in 2017, accessed the hospital’s computer network to steal confidential information including patient and employee records.

When it was discovered he had gained unauthorised access to the hospital’s computer network, he was dismissed from the hospital and cautioned by police in March 2017. Mooney agreed as part of the terms of the police caution that he would not:

  1. Access any IT system within the hospital
  2. Enter the hospital (unless a patient, visiting a patient or for HR reasons), and
  3. Contact staff unless at the request of the HR department.

However, after the caution, Mooney accessed the hospital’s computer systems again and he obtained and saved confidential material.

When he was arrested in December 2017, officers from Staffordshire Police searched his home and discovered two hard drives with over 10,000 files including unidentified images of cardiac tests on patients, sensitive patient records and confidential employee files.

He admitted his guilt on 9 January 2020 at Staffordshire Crown Court before his trial which was to commence on 20 January 2020.

Jason Corden-Bowen, of the CPS, said: “Mooney had no right to access confidential patient and staff records. He admitted his earlier wrongdoing and accepted a police caution yet he went ahead to reoffend knowing fully well it was not just against hospital procedures but it was wrong and illegal.

“Mooney believed he had been unfairly treated and that he was not alone in his earlier hacking behaviour, so he used his computer skills to access the hospital computer network causing a risk to the integrity of hospital systems, and a breach of trust in the NHS.

“He has been sentenced appropriately today and will now have to reflect on the impact and outcome of his behaviour.”

Mark Bostock, Director of IM&T at University Hospitals of North Midlands NHS Trust, said: “Concerns about Daniel Mooney’s activity were raised by a colleague and immediate action was taken to launch an internal investigation, involve the Police and notify the Information Commissioner’s Officer.

“The full extent of Mr Mooney’s activity has only come to light during the police investigation and now that the trial has concluded we will be working with the Police and the ICO to establish what, if any action should now be taken in terms of notifying individual members of the public or staff about their data. We would like to reassure patients that there is no evidence of harm or risk to their care as a result.

“Fortunately a case like this is extremely rare and the vast majority of our staff fully respect the privacy of their colleagues and our patients. Whilst Daniel Mooney must take full responsibility for his actions, as a Trust we are sorry for any distress that he has caused and are  committed to doing everything we can to prevent a similar breach of security in the future. Since the time of these incidents in 2017, significant advances in cyber-defence technology have been made nationally and the Trust has also invested in this area, making this kind of activity much less likely to go undetected.”

Notes to editors

  • Jason Corden-Bowen is a District Crown Prosecutor with CPS West Midlands.
  • Sentencing details:
    • Daniel Moonie (DOB: 2 Mar 1992) from Etruria, Stoke-on-Trent pleaded guilty to:
  1. causing a computer to secure unauthorised access to computer data contrary to Section 1(1) and (3) of the Computer Misuse Act 1990
  2. Causing a computer to perform function to secure unauthorised access to a program/data

Further reading