01/06/2012

NHS Trust fined £325K Following Major Data Breach

Brighton and Sussex University Hospitals NHS Trust has been served with a Civil Monetary Penalty (CMP) of £325,000 following a serious breach of the Data Protection Act (DPA), the Information Commissioner’s Office (ICO) said today.

The fine is the highest issued by the ICO since it was granted the power to issue CMPs in April 2010.

It follows the discovery of highly sensitive personal data belonging to tens of thousands of patients and staff – including some relating to HIV and Genito Urinary Medicine (GUM) patients - on hard drives sold on an Internet auction site in October and November 2010.

The data included details of patients’ medical conditions and treatment, disability living allowance forms and children’s reports. It also included documents containing staff details including National Insurance numbers, home addresses, ward and hospital IDs, and information referring to criminal convictions and suspected offences.

The data breach occurred when an individual engaged by the Trust’s IT service provider, Sussex Health Informatics Service (HIS), was tasked to destroy approximately 1000 hard drives held in a room accessed by key code at Brighton General Hospital in September and October 2010. A data recovery company bought four hard drives from a seller on an Internet auction site in December 2010, who had purchased them from the individual.

Although the ICO was assured in our initial investigation following this discovery that only these four hard drives were affected, a university contacted us in April 2011 to advise that one of their students had purchased hard drives via an Internet auction site. An examination of the drives established that they contained data which belonged to the Trust.

The Trust has been unable to explain how the individual removed at least 252 of the approximate 1000 hard drives they were supposed to destroy from the hospital during their five days on site. They are not believed to have known the key code needed to access the room where the drives were stored, and were usually supervised by staff working for HIS. However, the Trust has acknowledged that the individual would have left the building for breaks, and that the hospital is publicly accessible.

The ICO’s Deputy Commissioner and Director of Data Protection David Smith said:

"The amount of the CMP issued in this case reflects the gravity and scale of the data breach. It sets an example for all organisations - both public and private - of the importance of keeping personal information secure. That said, patients of the NHS in particular rely on the service to keep their sensitive personal details secure. In this case, the Trust failed significantly in its duty to its patients, and also to its staff."

The Trust has now committed to providing a secure central store for hard drives and other media, reviewing the process for vetting potential IT suppliers, obtaining the services of a fully accredited ISO 27001 IT waste disposal company, and making progress towards central network access.

(GK)

Related UK National News Stories
Click here for the latest headlines.

10 February 2011
ID Card Scheme Consigned To History
The National Identity Register (NIR), which was built to hold the fingerprints and personal details of millions of ID card holders, has been publicly destroyed. Home Office Minister Damian Green visited an industrial site in Essex today to shred the last of 500 hard disk drives and end the National Identity Scheme.
17 February 2005
Study reveals security risks of careless hard drive disposal
Many organisations are failing to erase confidential information from their computer hard drives before disposing of them, causing serious security risks, a university study has warned.
31 January 2013
Only Third Of Hospitals Share Crime Data With Police
Only a third of areas in England are following through on a government pledge to make hospitals share violent crime data with police, an audit has shown. The results of the Department of Health audit have cause the government to write to hospitals and chief constables for an explanation.
15 April 2015
'Usable Images' Recovered From Eastbourne Pier CCTV
Usable images have been recovered from CCTV hard drives damaged in a fire on Eastbourne Pier last July. Police investigating the suspicious fire that badly damaged the Grade II-listed pier in East Sussex, have said that forensic experts have rebuilt the hard drives and recovered usable images.
27 October 2015
15-Year-Old Arrested Over TalkTalk Data Theft
A 15-year-old boy has been arrested in connection with an alleged data theft from the TalkTalk website. The Metropolitan Police Cyber Crime Unit made the arrested on Monday at an address in County Antrim, Northern Ireland, assisted by the Police Service of Northern Ireland.