Belfast Health and Social Care Trust have been fined £225,000 by the Information Commissioner's Office (ICO).
An investigation found that after a merger of six community trusts into the Belfast Health and Social Care Trust in 2007, one data controller took over responsibility for more than 50 disused sites.
However confidential and sensitive personal data, consisting of patient and staff records were stored at Belvoir Park Hospital, a disused site. The ICO found that the data controller did not carry out an inspection when it took over responsibility for the site, but did arrange physical security measures for it.
The ICO found that trespassers gained access to the site on several occasions to photograph the records, which were then posted on the internet. While it was accepted that very few of the data subjects were identifiable from the photographs, the data controller was not aware that the security of the data on the site was being compromised until 2nd March 2010 when they received a report from a third party that images of the records were accessible online.
Following this, the data controller increased the number of security guards and arranged for an inspection of the site. This found that records on the site were stored either in boxes, in cabinets, on shelves or on the floor. The patient records included: approximately 100,000 paper medical records; X-rays; microfiche records; hard copies of medical scans; hard copies of scan reports; lab results; paper ward records; and various letters.
However the trust failed to report the situation at the Belvoir Park site to the ICO and the ICO's investigation found that the trust failed to keep the information secure or securely destroy medical documents when they was no longer required.
Ken Macdonald, the ICO's assistant commissioner for Northern Ireland, said: “The severity of this penalty reflects the fact that this case involved the confidential and sensitive personal data of thousands of patients and staff being compromised.
“The trust failed to take appropriate action to keep the information secure, leaving sensitive information at a hospital site that was clearly no longer fit for purpose. The people involved would also have suffered additional distress as a result of the posting of this data on the internet.
“The trust has therefore failed significantly in its duty to its patients, and we hope that the action we've taken sets an example for all organisations that they must keep personal data secure, irrespective of where they choose to store it.”
The trust has now removed patient records from the site and examined them and either retained or securely disposed of them as required. A decommissioning policy has also been implemented by the trust to ensure that personal information is securely destroyed once it is no longer needed.
Alex Teh, director at Vigil Software, said: “Though it is good to see that the ICO is continuing with its diligence in ensuring that the data protection act is being upheld, it also highlights the importance of compliance.
“Whether it be a fine, or a disclosure of the violation from the ICO, businesses without adequate data protection procedures should consider the significance of data loss prevention, encryption, and compliance solutions before a breach occurs and not wait to see the result should a breach arise.”