An NHS trust has been fined £325,000 by a data protection watchdog after highly sensitive files of tens of thousands of patients, including details of HIV treatment, ended up being sold on eBay.
Brighton and Sussex University Hospitals NHS Trust was given the penalty because it failed to ensure hard drives containing the information were wiped after they were handed over to a contractor.
The fine from the Information Commissioner’s Office (ICO) is the highest issued by the watchdog since it was granted the power in April 2010.
The trust’s IT service provider, Sussex Health Informatics Service, was tasked to destroy information on around 1,000 hard drives in September and October 2010 that were held in a room accessed by key code at Brighton General Hospital.
But they handed the job over to an unnamed individual sub contractor who did not wipe the drives and he took at least 252 out of the hospital and 232 of them found their way on to the internet in October and November 2010. He was arrested by police but no charges were brought over the incident, the trust said.
The trust said it disputed the ICO’s finding and said it would appeal. It said it had recovered all the disks and no information had got into the public domain and it could not afford the fine.
The breach of data protection was discovered when a data recovery company bought four hard drives from a seller on eBay in December 2010, who had purchased them from the sub contractor.
The ICO said the trust has been unable to explain how the individual removed the hard drives they were supposed to wipe from the hospital during their five days on site as he was supervised and did not know the code for the door.
The ICO’s deputy commissioner and director of data protection, David Smith, said: “The amount issued in this case reflects the gravity and scale of the data breach. It sets an example for all organisations – both public and private – of the importance of keeping personal information secure.”
Chief executive of Brighton and Sussex University Hospitals, Duncan Selbie, said in a statement: “We dispute the Information Commissioner’s findings, especially that we were reckless, a requirement for any fine. In a time of austerity, we have to ensure more than ever that we deliver the best and safest care to our patients with the money that we have available. We simply cannot afford to pay a £325,000 fine and are therefore appealing to the Information Tribunal.”