ICO hits NHS trust with record £325,000 fine

broken hard disk

The Information Commissioner's Office (ICO) has issued its largest ever fine against a NHS trust that disclosed personal details about thousands of staff and patients.

The Brighton and Sussex University Hospitals NHS Trust has been hit with a 325,000 penalty, the largest the ICO has ever issued, after the details were discovered on hard drives sold via an internet auction site in 2010.

NHS patients rely on the service to keep their sensitive personal details secure.

The ICO said the hard drives contained information about patients' medical conditions and treatments, disability living allowance forms and children's reports.

They also contained staff National Insurance numbers, home addresses, criminal convictions and suspected offences.

The storage devices were in a batch of 1,000 disk drives that had been earmarked for destruction and had been stored in a room at Brighton General Hospital that was only accessible using a key code.

However, a data recovery company then purchased them online, along with two other drives, in December 2010.

"The ICO was assured in our initial investigation that only four hard drives were affected, [but] a university contacted us in April 2011 to advise that one of their students had purchased drives via an internet auction site," said the ICO in a press statement.

"An examination of the drives established that they contained data which belonged to the Trust."

It is thought that at least 252 of the 1,000 drives were removed from the room without permission, and the ICO claims the Trust has been unable to provide an explanation.

That being said, the ICO statement suggests a member of staff working for a third party IT supplier may have been involved.

David Smith, the ICO's deputy commissioner and director of data protection, said the size of the fine reflects the "gravity and scale" of the breach.

"Patients of the NHS, in particular, rely on the service to keep their sensitive personal details secure. In this case, the Trust failed significantly in its duty to its patients, and also to its staff," said Smith.

At the time of writing, IT Pro was awaiting a comment from the Trust about the data breach.

Nick Banks, vice president of EMEA and APAC at Imation Mobile Security, said the situation could have been easily avoided.

"Had these drives been encrypted and managed, the drives would have been disabled and the data kept secure, so the trust could have avoided a massive financial penalty, distress to patients and very serious damage to its reputation," said Banks.

"Instead it will have to find room in its budget to pay a 325,000 fine, money which will come from the public purse."

Caroline Donnelly is the news and analysis editor of IT Pro and its sister site Cloud Pro, and covers general news, as well as the storage, security, public sector, cloud and Microsoft beats. Caroline has been a member of the IT Pro/Cloud Pro team since March 2012, and has previously worked as a reporter at several B2B publications, including UK channel magazine CRN, and as features writer for local weekly newspaper, The Slough and Windsor Observer. She studied Medical Biochemistry at the University of Leicester and completed a Postgraduate Diploma in Magazine Journalism at PMA Training in 2006.