The UK Information Commissioner’s Office (ICO) has fined NHS Surrey £200,000 over loss of secret data of more than 3,000 patients.
According to the watchdog, thousands of children’s patient records were discovered on a second-hand NHS computer that was auctioned on an online auction site.
Regulators reported that the NHS Surrey failed to ensure that a data destruction firm had correctly disposed of the records.
ICO head of enforcement Stephen Eckersley said the facts of the breach are truly shocking.
"NHS Surrey chose to leave an approved provider and handed over thousands of patients’ details to a company without checking that the information had been securely deleted," Eckersley said.
"The result was that patients’ information was effectively being sold online.
"This breach is one of the most serious the ICO has witnessed and the penalty reflects the disturbing circumstances of the case," he said.
During the course of investigation, ICO found that the data destruction firm had offered free disposal of the computers in return for the sale of salvageable stuffs.
Investigation also involved recovering 39 computers that were sold by the data destruction firm, which had sensitive records on three of the hard disks.
ICO also ruled that the firm assured to crush the computer hard disks through an industrial guillotine, while NHS Surrey failed to observe the destruction process and did not have a contract ready with their new provider that explained the legal requirements of the data destruction.
NHS Surrey was decommissioned in March 2013 after some of their legal responsibilities were transferred to the NHS Commissioning Board.