Brighton and Sussex University Hospitals NHS Trust has been issued the highest ever fine by the Information Commissioner’s Office.
The £325,000 fine is for breaching the Data Protection Act, after a contractor that the trust paid to destroy hundreds of hard drives instead sold them on eBay.
It is the largest handed down by the ICO since it was granted the power to issue fines in April 2010.
More than 250 hard drives containing highly sensitive personal data on tens of thousands of patients and staff were sold on eBay in October and November 2010.
The data included details of patients’ medical conditions and treatment, disability living allowance forms and children’s reports. It also included documents containing staff details including National Insurance numbers, home addresses, ward and hospital IDs.
The data breach occurred when a man engaged by the Trust’s IT service provider, Sussex Health Informatics Service, was employed to destroy approximately 1000 hard drives held in a room accessed by key code at Brighton General Hospital in September and October 2010.
His theft of more than 250 hard drives was discovered when a data recovery company bought four of them online and contacted the trust.
A statement from the ICO said the office was assured in its initial investigation following this discovery that only these four hard drives were stolen.
However, it was contacted by a university in April 2011 because a student had bought a hard drive containing the sensitive information.
“The trust has been unable to explain how the individual removed at least 252 of the approximate 1000 hard drives they were supposed to destroy from the hospital during their five days on site,” the ICO said.
“They are not believed to have known the key code needed to access the room where the drives were stored, and were usually supervised by staff working for HIS. However, the Trust has acknowledged that the individual would have left the building for breaks, and that the hospital is publicly accessible.”
The ICO originally proposed a fine of £375,000 in January this year. The trust challenged the decision, saying it was the victim of a crime itself.
ICO deputy dommissioner and director of data protection David Smith said the size of the fine reflected the “gravity and scale of the data breach”.
“It sets an example for all organisations - both public and private - of the importance of keeping personal information secure,” he said.
“In this case, the trust failed significantly in its duty to its patients, and also to its staff.”
BSUH has committed to providing a secure central store for hard drives and other media, reviewing the process for vetting potential IT suppliers, obtaining the services of a fully accredited ISO 27001 IT waste disposal company, and making progress towards central network access.
All stolen hard drives have since been recovered with the help of the Sussex police, NHS Counter Fraud and the ICO.
© 2012 EHealth Media.
IG to The rescueinfosec1 146 weeks ago
Reading the ICO information concerning the fine - I find it constitues normal practice in many areas.
I have worked in areas were they think that putting a spike through a harddrive works.
There is a legacy of decommissioned kit out there that are stored and not disposed of correctly.
It would be interesting to find out how their practices have changed since this breach and if any processes have been audited by an external auditor prior to toolkit submission.
A NHS I.S. Manager with 22 years experience
Who does a fine sanction?Stevrayn 146 weeks ago
While I can only but agree that BSUH was delinquent is a fine really an appropriate sanction? It does not inflict "punishment" on management it simply removes that amount of money from the pot available for patients and their treatment.
Any ideas on alternatives.
The buck stops therepersonal opinion 146 weeks ago
Why were the hard discs in a store in the first place? Surely when they were no longer needed they should have been destroyed there and then.
It does not take a genius to understand that if you put temptation in people's way, then its enevitable that someone will succumb to it.
I also wonder why it appears that no one knew the discs had not been destroyed. If nothing else someone should have paid for the disposal - if only for the scrap!
This legislation is ancient and the NHS has had 32 years to get it rightdcripps 146 weeks ago
I think the original 1984 legislation was announced in 1980 and the NHS has had bn's spent on IT and IT staff, staff induction and specific non-IT staff awareness training for the best part of 30-odd years.
It's about time NHS management and IT staff grow up and take responsibility like everyone else.
I started in IT for a bank in 1974 and in the first few months one of our tasks was to destroy 29 hard drives (we're talking things the size of washing machine drums) that had become partly unreadable. But they still had personal customer data on them and conceivably could be read if you weren't fussy about damaging read heads.
When I disposed of a bunch of PCs gathering mould in the cellar of my new practice I ensured that the drives were removed and wiped or damaged beyond use before everything was taken away. This is basic stuff that you cannot contract out with impunity.
If the rest of the IT world knew what needed to be done a decade before the legislation the NHS has no excuse 30 years after the legislation.
Who is the data controllerCertaCitrus 147 weeks ago
Surely the data controller was Sussex HIS?
If they were a pure IT team then maybe not but they also state informatics, surely data security, data management, info security, etc would come under this department?
Strange...Daniel Defoe 147 weeks ago
While a fine is justly deserved for a lapse of this magnitude, it does look from the story above as though Brighton and Sussex Trust have been fined for not monitoring their service provider, Sussex HIS (another NHS organisation), to whom responsibility for the task was delegated, and who were the body who engaged the miscreant in question. I realise that "it's the same money", but surely it should have been Sussex HIS (or presumably the statutory authority responsible for them) who were fined by the ICO?
The first mistake was data on the drives...jwaktare 147 weeks ago
The starting point here is that patient data should not have been on the hard drives in the first place. Apart from the data loss to the general public that occured, there is the potential for data loss from HD failure (as they do inevitably after 5-7 years on average). The solution has always been to utilise those things called networked drives...
In respect of the HIS, the data controller is accountable for managing ALL third parties.
At the end of the day, Brighton have come a cropper where many others run the same or possibly higher levels of risk and get away with it. However if you get prosecuted for causing an accident when slightly over the drink driving limit, trying to use as mitigation that all your mates had drunk more than you and managed to get home safely is unlikely to work as a defence.
Doing Information Governance right isn't much more difficult than doing it wrong. Brighton have the misfortune to be taken to task for getting it demonstrably wrong, and I am sure will help other offenders mend their ways
Network drives are ultimately hard drives tooHMF 146 weeks ago
"Network drives" are ultimately hard drives too, so when those HDs fail they must be disposed of by using an appropriate contractor. So, if THAT contractor steals the HDs for sale on eBay, how does that help the data controller?
What responsibility does the Data Controller have for crime?Mary Hawking 147 weeks ago
Zurich was fined - heavily - because the subcontractor of a data processor lost a USB in South Africa.
A GP was censored because a hard disc, being changed by the PCT, was stolen from a car in the surgery car park.
The Data Controller remains liable
And insurance does not cover crimes committed by the individual or organisation: the Trust is on its own.