ICO hits NHS trust with record £325,000 fine

Data protection watchdog hits Brighton and Sussex University Hospitals Trust with penalty following staff and patient data breach.

broken hard disk

The Information Commissioner's Office (ICO) has issued its largest ever fine against a NHS trust that disclosed personal details about thousands of staff and patients.

The Brighton and Sussex University Hospitals NHS Trust has been hit with a 325,000 penalty, the largest the ICO has ever issued, after the details were discovered on hard drives sold via an internet auction site in 2010.

NHS patients rely on the service to keep their sensitive personal details secure.

The ICO said the hard drives contained information about patients' medical conditions and treatments, disability living allowance forms and children's reports.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

They also contained staff National Insurance numbers, home addresses, criminal convictions and suspected offences.

The storage devices were in a batch of 1,000 disk drives that had been earmarked for destruction and had been stored in a room at Brighton General Hospital that was only accessible using a key code.

However, a data recovery company then purchased them online, along with two other drives, in December 2010.

"The ICO was assured in our initial investigation that only four hard drives were affected, [but] a university contacted us in April 2011 to advise that one of their students had purchased drives via an internet auction site," said the ICO in a press statement.

"An examination of the drives established that they contained data which belonged to the Trust."

It is thought that at least 252 of the 1,000 drives were removed from the room without permission, and the ICO claims the Trust has been unable to provide an explanation.

Advertisement - Article continues below

That being said, the ICO statement suggests a member of staff working for a third party IT supplier may have been involved.

David Smith, the ICO's deputy commissioner and director of data protection, said the size of the fine reflects the "gravity and scale" of the breach.

"Patients of the NHS, in particular, rely on the service to keep their sensitive personal details secure. In this case, the Trust failed significantly in its duty to its patients, and also to its staff," said Smith.

At the time of writing, IT Pro was awaiting a comment from the Trust about the data breach.

Advertisement
Advertisement - Article continues below

Nick Banks, vice president of EMEA and APAC at Imation Mobile Security, said the situation could have been easily avoided.

"Had these drives been encrypted and managed, the drives would have been disabled and the data kept secure, so the trust could have avoided a massive financial penalty, distress to patients and very serious damage to its reputation," said Banks.

Advertisement - Article continues below

"Instead it will have to find room in its budget to pay a 325,000 fine, money which will come from the public purse."

Featured Resources

Digital Risk Report 2020

A global view into the impact of digital transformation on risk and security management

Download now

6 ways your business could suffer if you don’t backup Office 365

Office 365 makes it easy to lose valuable data regularly, unpredictably, unintentionally, and for good

Download now

Get the best out of your workforce

7 steps to unleashing their true potential with robotic process automation

Download now

8 digital best practices for IT professionals

Don't leave anything to chance when going digital

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/ir35/how-to-format-a-hard-drive
Hardware

How to format a hard drive

16 Dec 2019
Visit/hard-disks/26116/how-to-format-a-hard-drive
Hardware

How to format a hard drive

16 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/security/34616/the-top-ten-password-cracking-techniques-used-by-hackers
Security

The top ten password-cracking techniques used by hackers

10 Feb 2020
Visit/operating-systems/27717/how-to-fix-a-stuck-windows-10-update
operating systems

How to fix a stuck Windows 10 update

12 Feb 2020
Visit/it-legislation/28174/what-is-the-computer-misuse-act
Policy & legislation

What is the Computer Misuse Act?

17 Feb 2020
Visit/software/linux/354831/microsoft-to-add-defender-antivirus-software-to-linux-ios-and-android
Linux

Microsoft to add Defender antivirus software to Linux, iOS and Android

21 Feb 2020