16 September 2014 08:24


News
Twitter RSS Newsletter Send to a friend
9

Brighton fined record £325,000 by ICO

1 June 2012   Rebecca Todd

Brighton and Sussex University Hospitals NHS Trust has been issued the highest ever fine by the Information Commissioner’s Office.

The £325,000 fine is for breaching the Data Protection Act, after a contractor that the trust paid to destroy hundreds of hard drives instead sold them on eBay.

It is the largest handed down by the ICO since it was granted the power to issue fines in April 2010.

More than 250 hard drives containing highly sensitive personal data on tens of thousands of patients and staff were sold on eBay in October and November 2010.

The data included details of patients’ medical conditions and treatment, disability living allowance forms and children’s reports. It also included documents containing staff details including National Insurance numbers, home addresses, ward and hospital IDs.

The data breach occurred when a man engaged by the Trust’s IT service provider, Sussex Health Informatics Service, was employed to destroy approximately 1000 hard drives held in a room accessed by key code at Brighton General Hospital in September and October 2010.

His theft of more than 250 hard drives was discovered when a data recovery company bought four of them online and contacted the trust.

A statement from the ICO said the office was assured in its initial investigation following this discovery that only these four hard drives were stolen.

However, it was contacted by a university in April 2011 because a student had bought a hard drive containing the sensitive information.

“The trust has been unable to explain how the individual removed at least 252 of the approximate 1000 hard drives they were supposed to destroy from the hospital during their five days on site,” the ICO said.

“They are not believed to have known the key code needed to access the room where the drives were stored, and were usually supervised by staff working for HIS. However, the Trust has acknowledged that the individual would have left the building for breaks, and that the hospital is publicly accessible.”

The ICO originally proposed a fine of £375,000 in January this year. The trust challenged the decision, saying it was the victim of a crime itself.

ICO deputy dommissioner and director of data protection David Smith said the size of the fine reflected the “gravity and scale of the data breach”.

“It sets an example for all organisations - both public and private - of the importance of keeping personal information secure,” he said.

“In this case, the trust failed significantly in its duty to its patients, and also to its staff.”

BSUH has committed to providing a secure central store for hard drives and other media, reviewing the process for vetting potential IT suppliers, obtaining the services of a fully accredited ISO 27001 IT waste disposal company, and making progress towards central network access.

All stolen hard drives have since been recovered with the help of the Sussex police, NHS Counter Fraud and the ICO.

A copy of the CMP notice is available on the ICO’s website.

EHI Intelligence Profile
EHI Intelligence


Related Articles:

15 News: Brighton faces fine for drives on eBay | 11 January 2012
8 News: Brighton signs with Alert for EPR | 10 May 2012
Last updated: 1 June 2012 13:54

© 2012 EHealth Media.


Follow

IG to The rescue

infosec1 118 weeks ago

Reading the ICO information concerning the fine - I find it constitues normal practice in many areas.

I have worked in areas were they think that putting a spike through a harddrive works.

There is a legacy of decommissioned kit out there that are stored and not disposed of correctly.

It would be interesting to find out how their practices have changed since this breach and if any processes have been audited by an external auditor prior to toolkit submission.

Regards,

A NHS I.S. Manager with 22 years experience


Reply
Flag
 
Like

This comment is:

Email address:

Submit

Follow

Post

 

infosec1
Expertise:
IT professional
Sector:
Public sector
Approved posts:
8
Likes:
1
My EHI score:
9
Reward badges:

Who does a fine sanction?

Stevrayn 118 weeks ago

While I can only but agree that BSUH was delinquent is a fine really an appropriate sanction? It does not inflict "punishment" on management it simply removes that amount of money from the pot available for patients and their treatment.

Any ideas on alternatives.


Reply
Flag
 
Like

This comment is:

Email address:

Submit

Follow

Post

 

Stevrayn
Expertise:
IT professional
Sector:
Public sector
Approved posts:
7
Likes:
1
My EHI score:
8
Reward badges:

The buck stops there

personal opinion 118 weeks ago

Why were the hard discs in a store in the first place? Surely when they were no longer needed they should have been destroyed there and then.

It does not take a genius to understand that if you put temptation in people's way, then its enevitable that someone will succumb to it.

I also wonder why it appears that no one knew the discs had not been destroyed. If nothing else someone should have paid for the disposal - if only for the scrap!


Reply
Flag
 
Like

This comment is:

Email address:

Submit

Follow

Post

 

personal opinion
Expertise:
IT professional
Sector:
Public sector
Approved posts:
78
Likes:
0
My EHI score:
78
Reward badges:

This legislation is ancient and the NHS has had 32 years to get it right

dcripps 118 weeks ago

I think the original 1984 legislation was announced in 1980 and the NHS has had bn's spent on IT and IT staff, staff induction and specific non-IT staff awareness training for the best part of 30-odd years.

It's about time NHS management and IT staff grow up and take responsibility like everyone else.

I started in IT for a bank in 1974 and in the first few months one of our tasks was to destroy 29 hard drives (we're talking things the size of washing machine drums) that had become partly unreadable. But they still had personal customer data on them and conceivably could be read if you weren't fussy about damaging read heads.

When I disposed of a bunch of PCs gathering mould in the cellar of my new practice I ensured that the drives were removed and wiped or damaged beyond use before everything was taken away. This is basic stuff that you cannot contract out with impunity.

If the rest of the IT world knew what needed to be done a decade before the legislation the NHS has no excuse 30 years after the legislation.


Reply
Flag
 +1
Like

This comment is:

Email address:

Submit

Follow

Post

 

dcripps
Expertise:
Health manager
Sector:
Public sector
Approved posts:
12
Likes:
0
My EHI score:
12
Reward badges:

Who is the data controller

CertaCitrus 118 weeks ago

Surely the data controller was Sussex HIS?

If they were a pure IT team then maybe not but they also state informatics, surely data security, data management, info security, etc would come under this department?


Reply
Flag
 
Like

This comment is:

Email address:

Submit

Follow

Post

 

Top 10
CertaCitrus
Expertise:
IT professional
Sector:
Industry
Approved posts:
457
Likes:
0
My EHI score:
457
Reward badges:

Strange...

Daniel Defoe 119 weeks ago

While a fine is justly deserved for a lapse of this magnitude, it does look from the story above as though Brighton and Sussex Trust have been fined for not monitoring their service provider, Sussex HIS (another NHS organisation), to whom responsibility for the task was delegated, and who were the body who engaged the miscreant in question. I realise that "it's the same money", but surely it should have been Sussex HIS (or presumably the statutory authority responsible for them) who were fined by the ICO?


Reply
2 Replies
Flag
 +1
Like

This comment is:

Email address:

Submit

Follow

Post

 

Daniel Defoe
Expertise:
Consultant
Sector:
Public sector
Approved posts:
569
Likes:
0
My EHI score:
569
Reward badges:

The first mistake was data on the drives...

jwaktare 119 weeks ago

The starting point here is that patient data should not have been on the hard drives in the first place. Apart from the data loss to the general public that occured, there is the potential for data loss from HD failure (as they do inevitably after 5-7 years on average). The solution has always been to utilise those things called networked drives...

In respect of the HIS, the data controller is accountable for managing ALL third parties.

At the end of the day, Brighton have come a cropper where many others run the same or possibly higher levels of risk and get away with it. However if you get prosecuted for causing an accident when slightly over the drink driving limit, trying to use as mitigation that all your mates had drunk more than you and managed to get home safely is unlikely to work as a defence.

Doing Information Governance right isn't much more difficult than doing it wrong. Brighton have the misfortune to be taken to task for getting it demonstrably wrong, and I am sure will help other offenders mend their ways


Reply
1 Reply
Flag
 +1
Like

This comment is:

Email address:

Submit

Follow

Post

 

jwaktare
Expertise:
Clinician
Sector:
Public sector
Approved posts:
37
Likes:
0
My EHI score:
37
Reward badges:

Network drives are ultimately hard drives too

HMF 118 weeks ago

"Network drives" are ultimately hard drives too, so when those HDs fail they must be disposed of by using an appropriate contractor. So, if THAT contractor steals the HDs for sale on eBay, how does that help the data controller?


Flag
 
Like

This comment is:

Email address:

Submit

Follow

Post

 

HMF
Expertise:
IT professional
Sector:
Other
Approved posts:
10
Likes:
0
My EHI score:
10
Reward badges:

What responsibility does the Data Controller have for crime?

Mary Hawking 119 weeks ago

Zurich was fined - heavily - because the subcontractor of a data processor lost a USB in South Africa.

A GP was censored because a hard disc, being changed by the PCT, was stolen from a car in the surgery car park.

The Data Controller remains liable

And insurance does not cover crimes committed by the individual or organisation: the Trust is on its own.


Reply
Flag
 +1
Like

This comment is:

Email address:

Submit

Follow

Post

 

Mary Hawking
Expertise:
Clinician
Sector:
Public sector
Approved posts:
771
Likes:
0
My EHI score:
771
Reward badges:
 
 
[1]

EHealth Media Limited
EHealth Insider is managed and maintained by EHealth Media © 2014
Registered Office: 11 Campana Road, London SW6 4AS
Registered No. 4214439 | Vat No. 774 4008 29
About us | Advertise | Terms and conditions | Privacy policy | Cookie policy | Contact us