ICO hits NHS trust with record £325,000 fine

Data protection watchdog hits Brighton and Sussex University Hospitals Trust with penalty following staff and patient data breach.

broken hard disk

The Information Commissioner's Office (ICO) has issued its largest ever fine against a NHS trust that disclosed personal details about thousands of staff and patients.

The Brighton and Sussex University Hospitals NHS Trust has been hit with a 325,000 penalty, the largest the ICO has ever issued, after the details were discovered on hard drives sold via an internet auction site in 2010.

NHS patients rely on the service to keep their sensitive personal details secure.

The ICO said the hard drives contained information about patients' medical conditions and treatments, disability living allowance forms and children's reports.

They also contained staff National Insurance numbers, home addresses, criminal convictions and suspected offences.

The storage devices were in a batch of 1,000 disk drives that had been earmarked for destruction and had been stored in a room at Brighton General Hospital that was only accessible using a key code.

However, a data recovery company then purchased them online, along with two other drives, in December 2010.

"The ICO was assured in our initial investigation that only four hard drives were affected, [but] a university contacted us in April 2011 to advise that one of their students had purchased drives via an internet auction site," said the ICO in a press statement.

"An examination of the drives established that they contained data which belonged to the Trust."

It is thought that at least 252 of the 1,000 drives were removed from the room without permission, and the ICO claims the Trust has been unable to provide an explanation.

That being said, the ICO statement suggests a member of staff working for a third party IT supplier may have been involved.

David Smith, the ICO's deputy commissioner and director of data protection, said the size of the fine reflects the "gravity and scale" of the breach.

"Patients of the NHS, in particular, rely on the service to keep their sensitive personal details secure. In this case, the Trust failed significantly in its duty to its patients, and also to its staff," said Smith.

At the time of writing, IT Pro was awaiting a comment from the Trust about the data breach.

Nick Banks, vice president of EMEA and APAC at Imation Mobile Security, said the situation could have been easily avoided.

"Had these drives been encrypted and managed, the drives would have been disabled and the data kept secure, so the trust could have avoided a massive financial penalty, distress to patients and very serious damage to its reputation," said Banks.

"Instead it will have to find room in its budget to pay a 325,000 fine, money which will come from the public purse."

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

Identity Automation launches credential breach monitoring service
phishing

Identity Automation launches credential breach monitoring service

5 Oct 2021
Neiman Marcus data breach hits 4.6 million customers
data breaches

Neiman Marcus data breach hits 4.6 million customers

4 Oct 2021
Indiana notifies 750,000 after COVID-19 tracing data accessed
data breaches

Indiana notifies 750,000 after COVID-19 tracing data accessed

18 Aug 2021
Pearson fined $1 million for downplaying severity of 2018 breach
data breaches

Pearson fined $1 million for downplaying severity of 2018 breach

17 Aug 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
HPE wins networking contract with Birmingham 2022 Commonwealth Games
Network & Internet

HPE wins networking contract with Birmingham 2022 Commonwealth Games

15 Oct 2021
Veritas Backup Exec 21.3 review: Covers every angle
backup software

Veritas Backup Exec 21.3 review: Covers every angle

14 Oct 2021