The Information Commissioner's Office (ICO) has issued its largest monetary penalty of £325,000 to Brighton and Sussex University Hospitals NHS Trust after hard drives containing sensitive patient information were sold.
The ICO said that hard drives were sold on an internet auction site in October and November 2010 and it discovered "highly sensitive personal data" belonging to tens of thousands of patients and staff.
The ICO alleged that the data included details of patients' medical conditions and treatment, disability living allowance forms and children's reports. Also apparently included were documents containing staff National Insurance numbers, home addresses, ward and hospital IDs and information referring to criminal convictions and suspected offences.
ICO deputy commissioner and director of data protection David Smith said: “The amount of the monetary penalty issued in this case reflects the gravity and scale of the data breach. It sets an example for all organisations – both public and private – of the importance of keeping personal information secure.
“That said, patients of the NHS in particular rely on the service to keep their sensitive personal details secure. In this case, the trust failed significantly in its duty to its patients, and also to its staff.”
According to the ICO a third party, Sussex Health Informatics Service (HIS), was tasked to destroy approximately 1,000 hard drives held in a room accessed by key code at Brighton General Hospital in September and October 2010.
It said that the trust was unable to explain how the individual from the third party removed at least 252 of the approximately 1,000 hard drives they were supposed to destroy during their five days on site.
They are not believed to have known the key code needed to access the room where the drives were stored, and were usually supervised by staff working for HIS. However, the trust acknowledged that the individual would have left the building for breaks and that the hospital is publicly accessible.
A data recovery company bought four hard drives in December 2010 via eBay from the individual at Sussex HIS. One of the hard drives was bought by a student at Sussex University and an examination of the drives established that they contained data which belonged to the trust.
In response, Duncan Selbie, chief executive of Brighton and Sussex University Hospitals, said that it disputed the findings, specifically that the trust had been reckless, a requirement for any fine.
He said: “We arranged for an experienced NHS IT service provider to safely dispose of our redundant hard drives and acted swiftly to recover, without exception, those that their sub-contractor placed on eBay. No sensitive data has therefore entered the public domain. We reported all of this voluntarily to the ICO, who told me last summer that this was not a case worthy of a fine.
“The information commissioner has ignored our extensive representations. It is a matter of frank surprise that we still do not know why they have imposed such an extraordinary fine despite repeated attempts to find out, including a freedom of information request, which they interestingly refused on the basis that it would ‘prejudice the monetary penalty process'.”
“In a time of austerity, we have to ensure more than ever that we deliver the best and safest care to our patients with the money that we have available. We simply cannot afford to pay a £325,000 fine and are therefore appealing to the Information Tribunal.”