Brighton and Sussex University Hospitals NHS Trust is facing a potential fine of £375,000 after 232 hard drives containing sensitive patient information were stolen.
The theft happened in September 2010 at Brighton General Hospital. The drives contained sensitive information on tens of thousands of patients and members of staff. The Trust had subcontracted the decommissioning of the drives to a registered contractor, according to the Press Association.
Police were alerted to the theft when the drives turned up on auction site eBay. A man was arrested on suspicion of theft and bailed on a number of occasions before it was decided that no action should be taken.
The Information Commissioner’s Office (ICO) has now apparently sent the NHS Trust a letter proposing the fine, which would be the largest it has ever handed out for a breach of the Data Protection Act (DPA).
The current highest fine is the £130,000 penalty handed out to Powys County Council in Wales after it sent details of a child protection case to the wrong recipient.
Brighton and Sussex University Hospitals NHS Trust has said it will fight the fine as they were in fact the victim of a crime. "As soon as we were alerted to this, we informed the police and with their help we recovered all the hard drives stolen by this individual," said chief executive Duncan Selbie in a statement.
"We are confident that there is a very low risk of any of the data from them having passed into the public domain. We have subsequently received a notice from the ICO proposing a fine of £375,000 which we are, in the circumstances, challenging."
An ICO spokesman said: "The ICO is currently making inquiries into a possible breach of the Data Protection Act and is unable to speculate on what action will be taken at this time."
Meanwhile the ICO has fined a health worker after she was found to have illegally accessed the medical records of five members of her ex-husband’s family in order to obtain their phone numbers.
Juliah Kechil was fined £500 and also ordered to pay £1,000 towards prosecution costs and a £15 victim surcharge after being convicted under section 55 of the DPA. The accesses were traced through audit trails which were linked to the defendant’s smartcard ID, the ICO said.