Largest UK Breach Penalty AppealedIncident Involved Selling Hard Drives on Internet
Brighton and Sussex University Hospitals NHS Trust is appealing a Â£325,000 fine for a breach involving hard drives containing healthcare information on tens of thousands of individuals that were sold on the Internet.
The Â£325,000 fine is the largest since the UK Information Commissioner's Office began issuing civil monetary penalties in April 2010, according to a news release.
The hospitals trust is appealing the fine on the grounds that it arranged for an experienced IT service provider to dispose of the hard drives and that it acted swiftly to recover the hard drives put up for sale on eBay.
"We reported all of this voluntarily to the Information Commissioner's Office, who told me last summer that this was not a case worthy of a fine," says Duncan Selbie, chief executive of Brighton and Sussex University Hospitals, in a statement.
The compromised information on the hard drives, which were sold in October and November 2010, included details about some patients with HIV, according to the ICO. The drives included patients' medical conditions, treatment, disability living allowance forms and children's reports. It also included hospital staff details, including National Insurance numbers, home addresses, ward and hospital IDs and information relating to criminal convictions and suspected offenses.
The ICO says a staff member at Sussex Health Informatics Service, a contractor, was responsible for destroying approximately 1,000 hard drives held in a room accessed by key code at Brighton General Hospital in September and October 2010. "A data recovery company bought four hard drives from a seller on an Internet auction site in December 2010, who had purchased them from the [Sussex Health Informatics Service staff member]," according to the news release.
In its initial investigation, the ICO was assured that only the four hard drives were affected in the breach. However, a university contacted the ICO in April 2011 explaining that a student had purchased 20 hard drives via an Internet auction site that contained data that belonged to the trust.
Based on an examination by the ICO, at least 15 out of the 20 hard drives contained sensitive information, the penalty notice explains.
The ICO said that the individual designated to destroy the 1,000 hard drives removed at least 252 of them rather than destroying them. Of those 252, at least 232 were sold online in two batches in October and November 2010. According to the penalty notice, attempts have been made by the police and the hospitals trust to recover the 232 hard drives. "These have all now been accounted for although not all of them have been recovered," the ICO said.
The large fine in this case "sets an example for all organizations - both public and private - of the importance of keeping personal information secure," says David Smith, ICO's deputy commissioner and director of data protection.
The Brighton and Sussex University Hospitals NHS Trust has committed to providing a secure central store for hard drives and other media and is reviewing its vendor vetting process, the ICO says.