An NHS Trust in Brighton has been served with the largest ever fine issued by the Information Commissioner, after hospital hard drives containing sensitive patient data were sold on eBay.
The hard drives contained medical records, home addresses and National Insurance numbers of "tens of thousands" of patients, the ICO said today, including children and patients treated by the Trust's HIV and Genito Urinary Medicine unit.
The ICO has issued a £325,000 penalty to the Trust, more than double its previous record fine. The Trust will appeal the ruling, saying it "simply cannot afford" it.
In 2010, the Trust's IT provider, the NHS-owned Sussex Health Informatics Service (HIS), was tasked with destroying 1,000 hard drives. One of its contractors recommended that a third party – a company of one individual – destroy the hard drives.
"Apparently, [the Trust] was not aware that HIS had engaged the individual to destroy the hard drives stored at the hospital," the ICO says in its summary of the case.
In December 2010, a data recovery company bought four of the hard drives on eBay, one of which contained a database the results of sexually transmitted disease tests of 67,842 patients. Another contained a database contained the names and addresses of 1,527 HIV positive patients.
The data recovery company alerted the Trust, which reported the incident to the ICO. At the time, it insisted that only the four hard drives were affected and that all others were secure, the ICO claims.
However, in April 2011, a student bought a number of hard drives on eBay that appeared to have belonged to the Trust. These drives again contained sensitive patient data.
The ICO says the individual sold at least 232 of the Trust's hard drives on eBay. Sussex Police says it arrested a 36-year old man on suspicion of theft, but there was insufficient evidence to charge him. "He was bailed several times before being NFA (no further action) on 17 July 2011," the police force said in a statement.
The Trust breached the Data Protection Act, the ICO says, because it "failed to choose a data processor providing sufficient guarantees" regarding information security.
The breach met the criteria for a fine because it was likely to cause "substantial distress" to data subjects, and because the Trust was aware of the risk of such a breach but failed to take the necessary precautions.
Duncan Selbie, CEO of Brighton and Sussex University Hospitals, says that Trust disputes the ICO's findings, "especially that we were reckless".
"We arranged for an experienced NHS IT service provider to safely dispose of our redundant hard drives and acted swiftly to recover, without exception, those that their sub-contractor placed on eBay. No sensitive data has therefore entered the public domain."
"In a time of austerity, we have to ensure more than ever that we deliver the best and safest care to our patients with the money that we have available," he added. "We simply cannot afford to pay a £325,000 fine and are therefore appealing to the Information Tribunal.”