The ICO has handed out its biggest ever financial penalty, fining Brighton and Sussex University Hospitals NHS Trust £325,000 following a "serious breach" of the Data Protection Act (DPA).
The Trust has already said it will appeal the decision.
The case dates back to October and November 2010, when hard drives containing sensitive information on tens of thousands of patients appeared for sale on eBay. The information included details of patients’ medical conditions and treatment, disability living allowance forms and children’s reports. Details of patients undergoing HIV and Genito Urinary Medicine (GUM) were also included.
The sensitive information was not limited to patients – documents containing staff details including National Insurance numbers, home addresses, ward and hospital IDs and information referring to criminal convictions and suspected offences were also lost.
The data breach occurred when the Trust commissioned its IT Services provider, Sussex Health Informatics Service (HIS), to destroy around 1,000 hard drives that were no longer needed. The drives were being held in a room accessible only by key code at Brighton General Hospital.
An individual employed by HIS to carry out the task subsequently sold four of the drives on an online auction site. They were bought by a data recovery company.
According to the ICO the Trust initially said only those four drives went missing. However another university subsequently contacted the ICO claiming one of its students had bought a hard drive which was found to contain data belonging to the Trust.
The ICO claims in total 252 of the 1,000 hard drives due for destruction were removed from the Hospital and, presumably, subsequently sold. The ICO says it has been unable to work out how the individual managed to remove all the hard drives without being noticed.
In a strongly worded statement from Brighton and Sussex University Hospitals NHS Trust, CEO Duncan Selbie said it would appeal the decision and accused the ICO of "ignoring" some aspects of the case.
"We dispute the Information Commissioner’s findings, especially that we were reckless, a requirement for any fine," the statement read. "We arranged for an experienced NHS IT service provider to safely dispose of our redundant hard drives and acted swiftly to recover, without exception, those that their sub-contractor placed on eBay. No sensitive data has therefore entered the public domain. We reported all of this voluntarily to the ICO, who told me last summer that this was not a case worthy of a fine."
"The Information Commissioner has ignored our extensive representations. It is a matter of frank surprise that we still do not know why they have imposed such an extraordinary fine despite repeated attempts to find out, including a freedom of information request which they interestingly refused on the basis that it would ‘prejudice the monetary penalty process’," the statement added.
Selbie concluded: "In a time of austerity, we have to ensure more than ever that we deliver the best and safest care to our patients with the money that we have available. We simply cannot afford to pay a £325,000 fine and are therefore appealing to the Information Tribunal."
Further reading:
ICO dishes out second NHS data loss fine
ICO hits Barnet Council with data loss penalty
ICO hands out record fine to Scottish council
NHS Trust faces £375k ICO fine over stolen hard drives