NHS Surrey has been fined £200,000 by the Information Commissioner's Office (ICO) after more than 3,000 patient records were found on a second hand computer.
The computer, which was bought through an online auction site, was sold by a data destruction company employed by NHS Surrey to wipe and destroy old computer equipment. The company carried out the service for free, with an agreement that they could sell any salvageable materials after the hard drives had been securely destroyed.
NHS Surrey was alerted to the problem by a member of the public who bought the computer and found that it contained patients details. Further investigation found confidential sensitive personal data and HR records, including patient records relating to approximately 900 adults and 2,000 children on the device.
NHS Surrey reclaimed a further 39 computers sold by the trading arm of their new data destruction provider. Ten of these computers were found to have previously belonged to the healthcare service; three of which still contained sensitive personal data.
According to the ICO, the NHS Surrey IT team explained that the hard drives would have to be physically destroyed because they may store confidential medical information. The director of the data destruction company provided an assurance to the IT team that the hard drives would be crushed by an industrial guillotine, although there was no legal contract between them.
The ICO found that NHS Surrey mislaid the records of the equipment passed for destruction between March 2010 and 10th February 2011, and was only able to confirm that 1,570 computers were processed between 10th February 2011 and 28th May 2012. The data destruction company was unable to trace where the computers ended up, or confirm how many might still contain personal data.
Stephen Eckersley, head of enforcement at the ICO, said: “The facts of this breach are truly shocking. NHS Surrey chose to leave an approved provider and handed over thousands of patients' details to a company without checking that the information had been securely deleted. The result was that patients' information was effectively being sold online.
“This breach is one of the most serious the ICO has witnessed and the penalty reflects the disturbing circumstances of the case. We should not have to tell organisations to think twice before outsourcing vital services to companies who offer to work for free.”
NHS Surrey was dissolved on 31st March 2013 with some of its legal responsibilities passing to the NHS Commissioning Board. The board will be required to pay the penalty amount by 22nd July 2013.
The people of Surrey were previously affected by three incidents that led to an ICO monetary penalty of £120,000. In a similar incident, Brighton and Sussex University Hospitals NHS Trust faced a fine of £325,000 after a third party was tasked to destroy approximately 1,000 hard drives, and some appeared on an online auction site.
Jonathan Armstrong, partner at law firm Duane Morris, said that it appeared that the ICO seemed to want to send the message that data controllers, especially in the NHS, should be wary of free offers.
“Effectively they want to send the message that personal data should not be compromised to save cash,” he said.
“I'm not sure whether the legacy body or the new one self-reported, but perhaps there was some delay as efforts were made to try and get the other devices back. You'll see some were recovered but there's still a lot out there.
“Another major factor was the fact data recovery tools had to be used to recover it. If the data was more readily accessible the penalty might have been higher.”
Chris McIntosh, CEO of ViaSat UK, said: “Performing due diligence on sub-contractors and ensuring that no sensitive data is put at risk as they perform their tasks should be a matter of course, for the NHS or for anyone. However, at the same time when dealing with such sensitive information, it should be protected from unauthorised access from cradle to grave: for example, if such data was encrypted when first stored then even a slip-up in disposal would not put it in danger of being compromised.
“Increasing financial pressure means that sub-contracting is likely to become common in more and more parts of the public sector. When a single incident can cause a huge amount of damage to public trust of the NHS, it is imperative that any contractor's data protection is under the same scrutiny as the NHS itself: even if it means choosing a more costly option.”