ICO fines police force, as US health insurer coughs up $1.5m

The Information Commissioner's Office (ICO) issued its first monetary penalty to a police force after papers containing sensitive information were discovered on a street in Blackpool.

The fine of £70,000 was issued to Lancashire Constabulary after a missing person's report of a 15-year-old girl was discovered by a member of the public. The document included details of the girl's age, address, contact information and sexuality, as well as mentioning that she had previously been sexually assaulted. Personal details relating to 14 other individuals, including the girl's original attacker, were also included in the report.

The ICO reported that the report had previously been used by an officer trying to locate the missing youth and is thought to have been left in a police vehicle, where it lay undiscovered for several days. It is then believed the report fell out of the car, when it was used by a different officer to attend the scene of an incident; it was discovered by a member of the public on the next day.

The ICO's investigation found that the constabulary did not record when sensitive personal information was taken outside of the police station and that officers were not provided with secure bags for storing personal information, and received no specific training on how to look after hard-copy documents outside the station.

Steve Eckersley, head of enforcement at the ICO, said: “The fact that information as sensitive as this could go missing without anybody realising is extremely worrying, and shows that Lancashire Constabulary failed to have the necessary governance, policies and suitable training in place to keep the personal information they handle secure.

“While we are pleased that Lancashire Constabulary has agreed to take action to make sure people's information is safe, it is vitally important that police forces have effective data-protection policies in place for electronic and paper-based systems, if they are to operate with the trust and confidence of the public they serve. This includes keeping a record of where personal information is being stored and used.”

In the US, the Department of Health and Human Services Office for Civil Rights has fined Tennessee-based health insurance provider BlueCross BlueShield $1.5m, after a theft in which hard drives containing health information on more than one million customers were stolen.

According to Knoxville's knoxnews.com, BlueCross BlueShield said the hard drives were stolen from a data-storage closet at a former call centre. The 57 hard drives, stolen in 2009, included customers' names, Social Security numbers, diagnosis codes, dates of birth and health-plan identification numbers.

The US Department of Health and Human Services Office for Civil Rights said the company "failed to implement appropriate administrative safeguards to adequately protect information" at the facility and did not have adequate  access controls. BlueCross BlueShield has agreed to a 450-day corrective action plan to address gaps in its HIPAA compliance programme.

Since the theft, the company said that it has spent nearly $17m in its investigation, notification and protection efforts. Tena Roberson, deputy general counsel and chief privacy officer for BlueCross, said in a statement that it has "worked diligently to restore the trust of our members by demonstrating our full commitment to limiting their risks from this misdeed and making significant investments to ensure their information is safe at all times".

Chris McIntosh, CEO of ViaSat UK, said: “This loss contains a painful lesson, not just for BlueCross, but for the million-plus customers whose personal data has been taken. Data should never be assumed to be safe: whether on a CD, a memory stick, a laptop or a server, it should be protected to the highest level possible to avoid punishments such as this.

“Organisations in the UK may well ask how this affects them, but the lessons are clear. First, while the US Office for Civil Rights clearly currently has the power to impose larger fines, the UK's ICO is still champing at the bit to take action against any organisation guilty of a similar transgression, with the financial and reputational damage that implies.

“Second, BlueCross has admitted to spending nearly $17m on its notification, investigation and protection efforts since the original loss. This dwarfs the federal fine and shows quite clearly that the true costs of a data breach will far exceed a simple one-off penalty.”

Sign up to our newsletters