30 July 2014 03:57


News
Twitter RSS Newsletter Send to a friend
8

Brighton pays data breach fine

26 November 2012   Rebecca Todd

Brighton and Sussex University Hospitals NHS Trust has paid a fine of £260,000 after a contractor sold hard drives containing patient information on eBay.

In June this year, the Information Commissioner’s Office issued the trust with a record-high fine of £325,000 for breaching the Data Protection Act.

The trust told eHealth Insider at the time that it “simply cannot afford to pay” and it would appeal to the Information Tribunal.

However, the trust’s annual report for 2011-12 says a reduced fine of £260,000 has been paid. Fines are reduced by 20% if paid within a certain time frame.

The report says the trust made “extensive written and oral representations on the notice of intent” issued in May, but paid the fine in June.

The breach occurred after a contractor that the trust paid to destroy hundreds of hard drives, containing sensitive patient information, instead sold them on eBay.

The annual report says that the hard drives were sold by a person whose company had been engaged by the Sussex Health Informatics Service to destroy them.

“All of the drives were recovered or otherwise accounted for and [the trust] remains confident that no patient identifiable data entered the public domain.

"[Brighton and Sussex's] membership of the Sussex HIS concluded at the end of the 2011-12 financial year,” it adds.

“As part of bringing ownership of IT services back in-house, which took place on 1 April 2012, [the trust] has taken appropriate steps to strengthen the processes relating to the disposal of redundant hard drives.

"[This includes] a stringent due diligence process for the engagement of contractors in the wiping and disposal of redundant hard drives.

“Through the internal auditors, the audit committee will be ensuring that the trust’s information governance arrangements are subject to a rigorous process of continuous improvement and that appropriate training continues to be provided to staff in addition to that which is given during the induction process.”

EHI Intelligence Profile
EHI Intelligence


Related Articles:

News: BSUH aims for 'paper-lite' with Alert | 12 November 2012
Last updated: 26 November 2012 09:57

© 2012 EHealth Media.


Follow

Harsh?

Tim Turner 86 weeks ago

The reason for the fine is the inadequacies of the contracts in place. If the contracts had been more robust, a fine would have been impossible. So it's entirely possible that BSUH have no route to recover anything from their contractors. Moreover, they spent 180,000 on legal fees before paying up, so the total figure they paid out on this case is around 400,000.


Reply
Flag
 
Like

This comment is:

Email address:

Submit

Follow

Post

 

New Poster
Tim Turner
Expertise:
Consultant
Sector:
Other
Approved posts:
1
Likes:
0
My EHI score:
1
Reward badges:

What is the point

Inter Ested 87 weeks ago

Of fining trusts? The service will fall even lower. Just fire whoever was responsible/accountable for the breach. Why should patients and other staff suffer as a result of someone failing to follow process?


Reply
Flag
 +1
Like

This comment is:

Email address:

Submit

Follow

Post

 

Inter Ested
Expertise:
Clinician
Sector:
Public sector
Approved posts:
33
Likes:
0
My EHI score:
33
Reward badges:

Hold on...

BenA 87 weeks ago

I'm not debating if the Trust is accountable. We live in a world where contracting or outsourcing is fairly common in the NHS. You can buy software to erase data on drives but how many Trust's across the UK have the capability to physically destroy hard drives or have the resources to go around wiping them. Yes, BSUH are liable but all I am asking is surely the contractor should be taking some flack or the Trust pursuing them for breach of contract. Let me ask the question, for any Healthcare organisation who has outsourced some form of ICT service, how can they be sure that a situation like this doesn't happen again? If you cannot put your faith in a contractor, then what are we saying, the NHS should never use contractors? Fact is, if the contractor did what they were meant to be doing we would having this conversation, so why they getting away scott free while BSUH, the taxpayer (I assume) pick up the bill and other patient services must suffer?


Reply
3 Replies
Flag
 
Like

This comment is:

Email address:

Submit

Follow

Post

 

BenA
Expertise:
IT professional
Sector:
Public sector
Approved posts:
6
Likes:
0
My EHI score:
6
Reward badges:

The "Wake up" fine

Working in IT NHS 78 weeks ago

I have been working in the NHS for too many years now, and the general perception of risk is "its always someone else's job...." Not so long ago I was involved in a project in which a Trust had 12,000 individuals in AD yet only 8,000 staff. When I asked where the other 4,000 had come from - the response was blank looks and shrugging of shoulders. Meaning any one of 4000x ex employees could have walked onto site and regained access to sensitive data. Their approach at the time was "shhhh"" don't tell anyone

So the same principles apply here with BSUH. No matter where the data, on site, off site with an employee of the Trust at his home location or with a contractor, the fundamental issue is that BSUH owned that data and is wholly responsible - no "if's no buts" - no excuses.

What this event has given rise to within the NHS is almost a knee jerk reaction. Alot of Trusts are now taking disposal and data destruction more seriously.

I think the next breach in general will be with mobile phones - because if we thought the process and assumptions were slack with hard drive data - you couldn't begin to imagine the absolute naivety on mobile devices.....


Reply
Flag
 
Like

This comment is:

Email address:

Submit

Follow

Post

 

New Poster
Working in IT NHS
Expertise:
IT professional
Sector:
Industry
Approved posts:
1
Likes:
0
My EHI score:
1
Reward badges:

the capability to physically destroy hard drives

mrtablet 86 weeks ago

Silverline HA03B 8 Ounce Hardwood Shaft Claw Hammer:

GBP 3.53 Amazon.UK accessed at time of posting above.

Other brands of hammer are available. If only all IT problems were as simple to solve.


Reply
Flag
 
Like

This comment is:

Email address:

Submit

Follow

Post

 

mrtablet
Expertise:
IT professional
Sector:
Industry
Approved posts:
380
Likes:
0
My EHI score:
380
Reward badges:

"The Facts"

george385 87 weeks ago

The fact is we don't know the facts. I would have expected the trust to be savvy enough to ensure that destruction of the data on the disks were part of the agreed work to be done.

If it wasn't then I suggest that someone was guilty of criminal negligence.


Reply
Flag
 
Like

This comment is:

Email address:

Submit

Follow

Post

 

Top 10
george385
Expertise:
IT professional
Sector:
Public sector
Approved posts:
292
Likes:
0
My EHI score:
292
Reward badges:

Accountability

george385 87 weeks ago

Should the trust be accountable? YES it should. The trust had a duty to ensure that patients data is protected and respected at all times. Keeping ones fingers crossed when dealing with other people's confidential data just isn't good enough.


Reply
Flag
 
Like

This comment is:

Email address:

Submit

Follow

Post

 

Top 10
george385
Expertise:
IT professional
Sector:
Public sector
Approved posts:
292
Likes:
0
My EHI score:
292
Reward badges:

Harsh on BSUH

BenA 87 weeks ago

"The data controller remains liable". But surely BSUH will be taking action against the contractor (or Sussex HIS whom will be taking action again the contractor). BSUH (I assume) paid for a service and the contractor had a duty of care to destroy the drives in accordance with NHS terms and conditions and basic destruction guidelines. Breach of contract?


Reply
Flag
 
Like

This comment is:

Email address:

Submit

Follow

Post

 

BenA
Expertise:
IT professional
Sector:
Public sector
Approved posts:
6
Likes:
0
My EHI score:
6
Reward badges:
 
 
[1]

EHealth Media Limited
EHealth Insider is managed and maintained by EHealth Media © 2014
Registered Office: 11 Campana Road, London SW6 4AS
Registered No. 4214439 | Vat No. 774 4008 29
About us | Advertise | Terms and conditions | Privacy policy | Cookie policy | Contact us