UK ICO hands out largest ever data breach penalty

06 Jun 2012

Brighton-based NHS Trust fined £325k after patient data sold on eBay but says it will appeal.

Last week, he demonstrated clearly that he intends to stick by those words, as the organisation he heads – the Information Commissioner’s Office (ICO) – meted out a £325,000 fine to the Brighton and Sussex University Hospitals NHS Trust.

The penalty followed an investigation that found that hard drives previously owned by the Trust, and containing sensitive personal information were stolen and subsequently ended up for sale to the public without having properly erased. Specifically, they contained medical records, home addresses and National Insurance numbers of “tens of thousands” of patients treated by the Trust’s HIV and Genito-Urinary Medicine unit, according to the ICO.

The fine is more than double the ICO’s previous highest fine of £140,000, imposed on Scottish local authority Midlothian Council in January 2012, but the Brighton and Sussex University Hospitals NHS Trust has said it will appeal, saying it “simply cannot afford it.”

In its summary of the case, the ICO says that the Trust’s IT provider, the NHS-owned Sussex Health Informatics Service (HIS), was tasked with destroying 1,000 hard drives back in 2010. The job was passed on to a third party, however: a company consisting of just one individual who had no formal contract with HIS. “Only very basic checks were made by HIS on the individual’s credentials,” the ICO report notes, and the Trust was not made aware that HIS had engaged this person to destroy the hard drives.

Problems subsequently came to light in December that year, when a data recovery company bought four hard drives from a seller, who in turn had purchased them from the individual working for HIS. One drive contained a database containing the results of sexually transmitted disease tests of almost 68,000 patients; another contained a database with the names and addresses of 1,527 HIV-positive patients.

Once aware of the breach, the ICO began an investigation, but was assured by the NHS Trust that the problems extended only as far as these four hard drives. In April 2011, however, a university contacted the ICO with news that one of its students had bought 20 hard drives on Ebay, fifteen of which were found to contain data belonging to the Trust.

In all, the individual who was supposed to destroy the disks in a code-protected room on hospital premises sold at least 232 of them on eBay. Sussex Police says it arrested a 36-year old man on suspicion of theft but found insufficient evidence to charge him.

The Trust breached the Data Protection Act, the ICO says, because it "failed to choose a data processor providing sufficient guarantees" regarding information security. The breach met the criteria for a fine because it was likely to cause "substantial distress" to data subjects, and because the Trust was aware of the risk of such a breach but failed to take the necessary precautions.

However, the Trust disputes the ICO’s findings, “especially that we were reckless,” said Duncan Selbie, CEO of Brighton and Sussex University Hospitals in a public statement. "We arranged for an experienced NHS IT service provider to safely dispose of our redundant hard drives and acted swiftly to recover, without exception, those that their sub-contractor placed on eBay.  No sensitive data has therefore entered the public domain,” he said.

"In a time of austerity, we have to ensure more than ever that we deliver the best and safest care to our patients with the money that we have available," he continued. "We simply cannot afford to pay a £325,000 fine and are therefore appealing to the Information Tribunal.”

Related Articles:

Data protection in the age of the cloud

Data security: more education needed

Where next for data protection rules?

UK companies failing cloud security test