Email Config Error Led to NHS ‘Reply All’ Snafu
A software configuration error was to blame for the NHS “reply all” fiasco in November which caused inbox misery for health workers in the UK.
A Croydon NHS IT contractor sent a message on 14 November to a local email group, which several individuals replied all to in order to be taken off the list.
That’s when the problem occurred – with the “reply all” being applied to the entire organization in England and not just the local group, according to an NHS Digital report seen by Digital Health News.
That led to all 840,000 NHS mail account holders being spammed, in turn generating 500 million emails in just over one hour as subsequent users also replied all in response.
That’s said the be the kind of volume normally seen over three months – and while the system didn’t crash, it ground to a virtual halt for most of the day.
The “reply all” function was disabled by NHS Digital as soon as it realized what was happening.
The sender was exonerated of any blame as the email snafu was apparently not visible to the user.
However, consultancy Accenture, which was given the £60 million contract to upgrade the system to NHSmail2 in 2015, did come on the receiving end of criticism in the report.
It apparently failed to implement “clear and strict” design controls requested by the NHS limiting the volume of emails one user could send at one time.
The firm has yet to deliver that functionality, and until it has the ability to create Dynamic Distribution Lists will remain off-limits, according to the report.
“We are continuing to work with Accenture and with Microsoft to review and enhance where necessary all areas of the service, which successfully supports more than 35,000 distribution lists, to ensure we are satisfied such an incident as described by this paper does not recur,” the report said.
The NHS is far from the only organization to have suffered because of an email issue.
In October last year, the president of US publisher Barron’s accidentally hit “reply all” on a confidential email and revealed secret plans to lay off staff to the entire Wall Street Journal news desk.
Source: Information Security Magazine