An NHS Trust in Brighton faces a fine of £350,000 after hard drives containing patient data were stolen and sold on auction website eBay.
According to the Argus newspaper, 232 hard drives were stolen from PCs that were kept in a locked store room at Brighton General Hosptial. Four of the drives were later sold on eBay. The buyer informed Brighton and Sussex University Hospitals NHS Trust of the incident, and a later investigation revealed the extent of the theft.
The Information Commissioner’s Office said the Trust’s failure to protect its patients’ data was likely to “cause substantial distress to data subjects whose personal and highly sensitive personal data has been taken by an individual who had not right to see that information”.
The ICO has served the Trust with notice of the £350,000 fine. If upheld, it would be almost three times the current record, a £130,000 penalty handed to Powys County Council last month. The council had accidentally posted details of a child protection case to the wrong recipients after they were picked up from a shared printer.
The Trust is contesting the fine, and has until January 23 to present its case.
Jon Baines, a blogger and data protection specialist working in local goverment, observed that fining the NHS such a large amount of money could prove problematic for the ICO.
“If this [fine] is served, then the Information Commissioner might be faced with headlines equating (for example) £375,000 to the amount it costs to employ a nurse, or a doctor or provide essentail but costly medical treatment,” Baines wrote yesterday.