A Brighton hospital trust has been fined £325,000 after 252 hard disks containing highly sensitive patient information were sold on eBay.
The disks, which were supposed to have been destroyed, contained personal details about tens of thousands of patients, some of them children.
The data included details of HIV and other sexual health problems, the home address and national insurance numbers of staff and references to criminal convictions.
The fine is the highest issued by the Information Commissioner’s Office (ICO) for breaching the Data Protection Act.
Brighton and Sussex University Hospitals NHS Trust, which runs the Royal Sussex County Hospital, said that it intended to appeal.
The trust said that it had employed a Department of Health approved specialist contractor, Sussex Health Informatics Service, to destroy a thousand disks.
But the contractor had entrusted the work to an individual who sold the disks on the internet in October and November 2010.
David Smith, the ICO’s deputy commissioner and director of data protection, said that the size of the fine reflected the gravity and scale of the data breach.
He said: “It sets an example for all organisations – both public and private – of the importance of keeping personal information secure.
“That said, patients of the NHS in particular rely on the service to keep their sensitive personal details secure.
“In this case, the trust failed significantly in its duty to its patients and also to its staff.”
Duncan Selbie, the trust chief executive, said: “We dispute the Information Commissioner’s findings, especially that we were reckless, a requirement for any fine.
“We arranged for an experienced NHS IT service provider to safely dispose of our redundant hard drives and acted swiftly to recover, without exception, those that their sub-contractor placed on eBay.
“No sensitive data has therefore entered the public domain.
“We reported all of this voluntarily to the Information Commissioner’s Office, who told me last summer that this was not a case worthy of a fine.
“It is a matter of frank surprise that we still do not know why they have imposed such an extraordinary fine despite repeated attempts to find out, including a freedom of information request which they interestingly refused on the basis that it would ‘prejudice the monetary penalty process’.
“In a time of austerity, we have to ensure more than ever that we deliver the best and safest care to our patients with the money that we have available.
“We simply cannot afford to pay a £325,000 fine and are therefore appealing to the Information Tribunal.”
The trust said that the fine could pay for it to
- Deliver 300 babies
- Mend 50 broken hips
- Deal with 3,400 patients in A&E
- Carry out 30 heart bypass operations
- Provide 360 chemotherapy treatments
I’m surprised at the level of the fine, but it seems the ICO are taking the issue of data breaches very seriously. Organisations like NHS trusts need to ensure they’ve got the correct policies in place for how they manage data at the disposal stage of the IT lifecycle, and hopefully this will serve as a lesson to others.