Data breaches by Mermaids exposed in the Times

[truthisarevolutionaryact]

Mermaids has apparently put lots of confidential data online including private emails, personal data and emails demonstrating the pressure they have put on the Tavistock.
Andrew Gilligan article - share token:

www.thetimes.co.uk/article/parents-anger-as-child-sex-change-charity-puts-private-emails-online-tl0g5hwcg?shareToken=2f8ddc23419c61360023562a62e74d13

This is a totally irrelevant post Always, but Ive always read it like the disease gid (like gits) or as G.I.D.S as an acronym

Gid -A disease of herbivores, especially sheep, caused by the presence of larvae of the tapeworm Taenia multiceps in the brain and resulting in a staggering gait: apparently the origin of the word 'giddy'
Which makes that one of the few words with both an etymology and entymology.

So true @Outanabout . There's no smoke without a blazing forest fire these days it seems.

I think it's in order for a charity to do that kind of work if that's the kind of work they do. I work for a charity and we do advocacy and legal advice.

Just on the pic above.

Thought that cross-sex hormones weren't prescribed before 16 in the UK?

So in the pic above the young person had already had a year on testosterone? So 13 at the time testosterone was prescribed.

I know, I found that quite surprising. Wonder where they got the T from? Does the Tavi prescribe T that young? Thought it was only puberty blockers. Must have got them privately?

Dr Webberley was prescribing drugs to young children wasn’t she ? And they now have a clinic in Spain ?
A friend’s dd in Spain has been put on hormones already, she is only 16, with sudden -onset gender issues. Tragic.

WRT GPs writing emails, very tight rules.

They have to post letters not write emails as a rule.

There has been a further update by Mermaids:

Updated 26 June 2019—

Since this statement was first published, Mermaids has taken steps to disable the cached/replicated version of the data which resulted from this breach. The material is not responsive to search engine enquiries, and links have been delisted from Google search by Mermaids' lawyers, a deletion notice has been served on the website and the relevant national data protection supervisory authority notified, to enforce deletion. In this way, the data breach and any effect on service users has been or is in the process of being successfully contained and remediated

How can they say 'any effect has been successfully contained'? They have no idea who has downloaded the data. It could be posted again daily by anyone who had it. Anyone could have read it for any purposes. What a bizarre statement to make.

There is so much wrong with that statement.

Why did they only take these steps after the breach became public? Surely they should have taken them the moment the Times informed them of the breach?

Obviously at one point the information was responsive to search engine enquiries, even if it isn't now. The way they have phrased it implies that it never was.

How do they define successfully contained? It is out there. Many people have seen it (I haven't and have no wish to). Anyone with nefarious intent will already have taken copies. I would argue that it can never be successfully contained.

They still don't get it do they? Have they actually apologised yet?

They seem to be trying to minimise how serious it was. Presumably it was very sensitive special category data about health in some cases.

Have I missed the outcome of the ICO investigation?

Hmm,

I've had a quick look and can't find anything...

that's odd, it's been almost a year

It's been almost two years now. Anyone know anything?

I saw this and thought - what - AGAIN?!

You're totally right, though - where's the ICO investigation on this?

Do they normally publish anything? i.e. should we expect to know?

a google gives this latest FOI request from October 2020, which eventually says that
" To the extent that your latest correspondence constitutes a request under the FoIA, the recorded information we hold says that the investigation into this matter is still ongoing. In regards to an expected date of completion there is no information held.

I can also advise you that if we do take action against Mermaids in the future, the details will be published on the [1]enforcement section of our website."

www.whatdotheyknow.com/request/ico_investigation_into_mermaids

What's still ongoing then? Is this normal?

Really there’s no outcome from this yet?!?

The response in July 2020 is at least somewhat illuminating
www.whatdotheyknow.com/request/671919/response/1598534/attach/html/2/Information%20request%20response.pdf.html
Alluding as it does to “potential security risks and vulnerabilities in Mermaids UK’s operating systems” as a reason for non disclosure at that time.

How could the fact that the investigation is still ongoing possibly be interpreted?

• perhaps Mermaids is uncooperative
• perhaps the investigation is absolutely massive and genuinely takes time
• perhaps ICO, a Stonewall diversity champion, is reluctant to expose Mermaid’s failings and dragging its heels any way it can, because rainbow glitter family etc.
• Any other hypotheses?

They’ll have to come to a conclusion eventually.
I’d also be really interested in a FOI asking for any correspondence between ICO and Stonewall regarding the complaint against and investigation into Mermaids. If anyone is in position to be able to do that.
Or possibly a separate FOI asking how many cases initiated prior to eg. Sept 2019 are still unresolved, to give an idea of how significant the delay is.

I can’t find a #dontsubmittostonewall FOI to the ICO - is there one?

Mermaids has to file accounts. The accounts to March 2020 were filed in January 3021 and say on p32:
“Mid-June 2019 Mermaids was made aware that information from internal communications was available online. Although the breach was quickly contained, this resulted in a front page story in a national newspaper. The need to inform those affected in a timely manner as well as
addressing the reputational risk was urgent. Additionally it was clear that a thorough review of this incident plus interrogation of all other data processing functions within the charity was required. Mermaids took this incident very seriously and immediately sought professional
advice on all aspects, including legal support and data consultancy. Thankfully Mermaids was in a financial position to invest in the best services available, to help secure the future of the organisation.
The exceptional costs from this incident are included in legal costs and amount to £158,029”

The “those effected” does perhaps conflict with their statements at the time.

This is just from wiki “ The press release stated that the breach was limited to internal emails and that no emails to and from families were part of the information leaked; The Times disputed this.”

Mermaids had income that year of £902k. Audit is only compulsory at £1m.

I was thinking about this the other day, I really got my data nerd on ⬆️ Upthread. I remember being completely shocked by the poor quality of their data protection policy and procedure. This was a terrible breach of sensitive medical data relating to children, and another example of Mermaids failing its clients, and refusing to accept that they did so. The bit about Mermaids actively looking for research proving increased suicidality of gender questioning children as being “helpful to the cause” was a real low point, too.

The bit that came out about Mermaids cosily collaborating with the EHRC is interesting again now, given the change in direction of travel there.

I am sort of unsurprised that there hasn’t been a resolution, the ICO has struggled to keep up, and this has probably just stayed under the carpet where it was swept.