The Information Commissioner’s Office has issued its largest fine to date. Brighton and Sussex University Hospitals NHS Trust has been given a £325,000 ‘Civil Monetary Penalty’ (CMP). The data watchdog was given the power to issue CMPs in April 2010. The south coast NHS trust is appealing.
Chief Executive of Brighton and Sussex University Hospitals, Duncan Selbie said: “We dispute the Information Commissioner’s findings, especially that we were reckless, a requirement for any fine. We arranged for an experienced NHS IT service provider to safely dispose of our redundant hard drives and acted swiftly to recover, without exception, those that their sub-contractor placed on eBay. No sensitive data has therefore entered the public domain. We reported all of this voluntarily to the Information Commissioner’s Office, who told me last summer that this was not a case worthy of a fine.
“The Information Commissioner has ignored our extensive representations. It is a matter of frank surprise that we still do not know why they have imposed such an extraordinary fine despite repeated attempts to find out, including a freedom of information request which they interestingly refused on the basis that it would “prejudice the monetary penalty process’. In a time of austerity, we have to ensure more than ever that we deliver the best and safest care to our patients with the money that we have available. We simply cannot afford to pay a £325,000 fine and are therefore appealing to the Information Tribunal.”
This case according to the ICO follows the discovery of highly sensitive personal data belonging to tens of thousands of patients and staff – including some relating to HIV and Genito Urinary Medicine (GUM) patients – on hard drives sold on an internet auction site in October and November 2010. The data included details of patients’ medical conditions and treatment, disability living allowance forms and children’s reports. It also included documents containing staff details including National Insurance numbers, home addresses, ward and hospital IDs, and information referring to criminal convictions and suspected offences.
The data breach occurred, according to the watchdog, when an individual engaged by the trust’s IT service provider, Sussex Health Informatics Service (HIS), was tasked to destroy about 1000 hard drives held in a room accessed by key code at Brighton General Hospital in September and October 2010. A data recovery company bought four hard drives from a seller on an internet auction site in December 2010, who had purchased them from the individual.
Although the ICO was assured in an initial investigation after this discovery that only these four hard drives were affected, a university contacted the watchdog in April 2011 to advise that one of their students had purchased hard drives via an internet auction site. An examination of the drives established that they contained data which belonged to the trust.
The watchdog said that the trust has been unable to explain how the individual removed at least 252 of the approximate 1000 hard drives they were supposed to destroy from the hospital during their five days on site. They are not believed to have known the key code needed to access the room where the drives were stored, and were usually supervised by staff working for HIS. However, the ICO added, the trust has acknowledged that the individual would have left the building for breaks, and that the hospital is publicly accessible.
The ICO’s Deputy Commissioner and Director of Data Protection David Smith said: “The amount of the CMP issued in this case reflects the gravity and scale of the data breach. It sets an example for all organisations – both public and private – of the importance of keeping personal information secure. That said, patients of the NHS in particular rely on the service to keep their sensitive personal details secure. In this case, the Trust failed significantly in its duty to its patients, and also to its staff.”
The trust has now committed to providing a secure central store for hard drives and other media, reviewing the process for vetting potential IT suppliers, obtaining the services of a fully accredited ISO 27001 (the international standard for information security management) IT waste disposal company, and making progress towards central network access.
Commenting on the news, Nick Banks, vice president, EMEA and APAC, Imation Mobile Security, says: “This is the largest fine ever issued by the Information Commissioner’s Office, which shows how seriously the ICO views the data breach which has occurred in this case.
“Had these drives been encrypted and managed, the drives would have been disabled and the data kept secure, so the trust could have avoided a massive financial penalty, distress to patients and very serious damage to its reputation. Instead it will have to find room in its budget to pay a £325,000 fine, money which will come from the public purse. The sensible option would have been to spend a fraction of that money on purchasing encrypted hard drives in the first place, which would have prevented this very damaging episode.
“As the hard drives were seemingly unencrypted, the sensitive information they contained could be easily accessed by anyone in possession of one of the drives. Clearly for information such as patient records, medical histories and children’s reports, this is unacceptable and this is probably one of the reasons why the ICO has decided to issue such a large fine.”
