NHS Workers – Forced into risks of being victims of cyber-crime

Contractor Voice was formed to campaign for improved legal rights for all UK temporary contractors but, when it comes to those that work for the NHS its founder, Jacob Bellas, is particularly passionate as he has worked within the NHS for 13 years, with 10 of those as a contractor.

With many close friends and colleagues working as NHS contractors, Jacob very much has his ear to the ground when it comes to how those contractors are being treated unfairly by end-clients, frameworks, and agencies.

This article focus’ on the hugely topical one relating to the recent incidents of cyber-attacks befalling a number of umbrellas that NHS contractors (and contractors working across all professions) are being forced to continue to work for or are being forced to use for new placements.

It is now an indisputable fact that FCSA accredited companies Giant, Parasol, Brookson One, SJD and Nixon Williams have unfortunately been targeted by cyber-criminals. Robert Sharp of Orca Pay Group recently pointed out that the industry isseeing a sustained attack on the [FCSA] organisation that started last summer. So, if these attacks are going to continue, there could be significant consequences for agencies and frameworks that mandate the use of the companies being targeted; now in the knowledge that there is a real risk to contractors.

With admissions by CEOs and the very recent dark web findings published by The Stack and The Register, it is also indisputable that personal data of many employees on the books of the effected businesses have been compromised and is available to be abused by criminal across the world. Jacob who has also viewed the data available on the dark web says, it is truly shocking. Also and perhaps the most shocking is that “a company with the resources of Optionis actually uses Password123 for a login credential!”

Quoting from a recent article published by The Stack in relation to the attack on Optionis, the parent company of Parasol, SJD and Nixon Williams Thousands of email addresses and phone numbers. Over 1,000 scanned passports. National Insurance numbers. P60s. Detailed bank statements. Contracts. Salariesare available on the dark web.

The article goes on to say It also reveals appalling security hygiene across many of Optionis’ companies, with staff seemingly routinely storing credentials in clearly flagged Word or Excel documents. Conveniently for attackers, these were titled, among other examples, “useful links and passwords”, “passwords”, and “useful passwords”.

So, with everyone in the sector knowing without any doubt what has happened, why on earth are the decision makers in the NHS, frameworks (Health Trust Europe, London Procurement Partnership, M Star 3) and many agencies still forcing NHS contractors to work through FCSA umbrellas? Would those decision makers willingly elect to be employed by them to earn their livelihoods and put their personal data at risk? Absolutely not, so why are they forcing contractors to?

We have only seen the tip of the iceberg so far in terms of knowing what personal data has been compromised and what will be done with it by criminals. How bad does it have to get before action is taken to safeguard all contractors that are at risk?

For safeguarding, Contractor Voice has made a number or recommendations to BEIS, REC and APSCo, the core of which being that until FCSA members can demonstrate that their IT security has been improved by achieved ISO 27001, they are not safe to use and must be removed from agency PSLs.

The cyber-attacks have caused Julia Kermode, the founder of IWork, to question the validity of current PSLs and their focus on kickbacks from umbrellas and accreditations, which have no regard at all to data and IT security. Contractor Voice supports her comments and points out that there are hundreds of umbrellas for a contractor to choose from that have their best interests in all ways as their focus, with no element of the dreaded tax avoidance which agencies are understandably concerned about.

Jacob has spoken to many of his friends and colleagues working as NHS contractors and here are the issues common between them, many of which equally apply to all contractors no matter what they work as:

  • Agencies are saying their hands are tied as their end-clients and the frameworks they work through are still mandating only FCSA umbrellas
  • Agencies are saying they only have FCSA umbrellas on their PSLs
  • Contractors believe they are trapped and have no option if they want to keep earning a living
  • It is now widely known that contractors’ personal data is now on the dark web. They are waiting for the day that they realise they have been hacked
  • They will lose their placement if they try to move to a non-FCSA umbrella
  • They cannot take-up a new placement if they try to work for a non-FCSA umbrella
  • At a time when we all still need a fully functioning NHS, many are looking to leave it and move into private health care

Having spoken to many contractors, Jacob says the fear and worry amongst my friends and colleagues who are contractors is huge. They feel trapped, exposed and no one will offer them a solution. It’s as though no one cares about them.”

Having spoken to decision makers in agencies that do not insist on FCSA umbrellas, he states the common themes include Contractors are rightly concerned about the risk to them. They feel for those that do not have a freedom of choice. It really does feel as though NHS and framework bosses are not giving any consideration to contractors about what has happened of late and the risks that they are exposing contractors to.” He went onto sayThose bosses need to wake-up and understand that the NHS is being put at risk as contractors will leave and earn a living elsewhere.”

All parts of the NHS and all framework providers are still insisting that FCSA umbrellas are used. Contractor Voice has a very long list of private and public sector agencies that insist and will share it on request, but the ones most recently mentioned by a significant number of NHS contractors include Pertemps, Hays, Seven Resourcing, Positive Healthcare, Hunter Gatherer Group and Daytime Healthcare.

Contractor Voice now calls on every member of the sector that has a conscience, as well as those that have significant influence including BEIS, REC and APSCo, to make it known that what NHS, framework, and agency leaders are doing is abhorrent and it needs to stop now.

For anyone that needs a refresh on the recent cyber-attacks, here is just a small selection of recent articles from prominent commentators:

The Stack – The Optionis data breach is worse than you can imagine

The Freelance Informer – Umbrella Contractors: Do You Think Your Data Has Been Leaked?

The Register – Ransomware crew dumps stolen Optionis files online

ContractorUk – Optionis notifies contractors of data being copied and leaked

Umbrella Companies – Which Umbrella Companies And Contractor Accountants Have Been Hacked Or Subjected To Cyber-Attacks?

IWork – Time To Get Rid Of Umbrella Preferred Supplier Lists?

Contractor Voice – FCSA Cyber Attacks – Protecting Contractors

Contractor Voice Podcast – Umbrella cyber-attacks: Consequences for contractors’ data