View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

ICO hands out biggest ever fine to ‘surprised’ NHS Trust

£325,000 fine after decommissioned hard drives were sold on eBay; Trust says it will appeal decision and criticises ICO's actions

By Steve Evans

The ICO has handed out its biggest ever financial penalty, fining Brighton and Sussex University Hospitals NHS Trust £325,000 following a "serious breach" of the Data Protection Act (DPA).

The Trust has already said it will appeal the decision.

The case dates back to October and November 2010, when hard drives containing sensitive information on tens of thousands of patients appeared for sale on eBay. The information included details of patients’ medical conditions and treatment, disability living allowance forms and children’s reports. Details of patients undergoing HIV and Genito Urinary Medicine (GUM) were also included.

The sensitive information was not limited to patients – documents containing staff details including National Insurance numbers, home addresses, ward and hospital IDs and information referring to criminal convictions and suspected offences were also lost.

The data breach occurred when the Trust commissioned its IT Services provider, Sussex Health Informatics Service (HIS), to destroy around 1,000 hard drives that were no longer needed. The drives were being held in a room accessible only by key code at Brighton General Hospital.

An individual employed by HIS to carry out the task subsequently sold four of the drives on an online auction site. They were bought by a data recovery company.

According to the ICO the Trust initially said only those four drives went missing. However another university subsequently contacted the ICO claiming one of its students had bought a hard drive which was found to contain data belonging to the Trust.

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

The ICO claims in total 252 of the 1,000 hard drives due for destruction were removed from the Hospital and, presumably, subsequently sold. The ICO says it has been unable to work out how the individual managed to remove all the hard drives without being noticed.

In a strongly worded statement from Brighton and Sussex University Hospitals NHS Trust, CEO Duncan Selbie said it would appeal the decision and accused the ICO of "ignoring" some aspects of the case.

"We dispute the Information Commissioner’s findings, especially that we were reckless, a requirement for any fine," the statement read. "We arranged for an experienced NHS IT service provider to safely dispose of our redundant hard drives and acted swiftly to recover, without exception, those that their sub-contractor placed on eBay. No sensitive data has therefore entered the public domain. We reported all of this voluntarily to the ICO, who told me last summer that this was not a case worthy of a fine."

"The Information Commissioner has ignored our extensive representations. It is a matter of frank surprise that we still do not know why they have imposed such an extraordinary fine despite repeated attempts to find out, including a freedom of information request which they interestingly refused on the basis that it would ‘prejudice the monetary penalty process’," the statement added.

Selbie concluded: "In a time of austerity, we have to ensure more than ever that we deliver the best and safest care to our patients with the money that we have available. We simply cannot afford to pay a £325,000 fine and are therefore appealing to the Information Tribunal."


Further reading:

ICO hands out first NHS fine

ICO dishes out second NHS data loss fine

ICO hits Barnet Council with data loss penalty

ICO hands out record fine to Scottish council

NHS Trust faces £375k ICO fine over stolen hard drives

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.