£325,000 fine for data breach

It follows the discovery that highly sensitive personal data belonging to tens of thousands of patients and staff was on hard drives sold on an Internet auction site.

The data breach occurred when an individual engaged by the Trust’s IT service provider was tasked to destroy approximately 1000 hard drives held in a room accessed by key code at Brighton General Hospital. A data recovery company bought four hard drives on an Internet auction site from a seller who had purchased them from the individual.

Although the ICO was assured in its initial investigation that only these four hard drives were affected, more hard drives purchased via an Internet auction site were found to contain data which belonged to the Trust.

The Trust was unable to explain how the individual removed at least 252 of the hard drives they were supposed to destroy from the hospital during their five days on site.

David Smith, the ICO’s Deputy Commissioner and Director of Data Protection, said:

“The amount of the CMP issued in this case reflects the gravity and scale of the data breach. It sets an example for all organisations – both public and private – of the importance of keeping personal information secure. That said, patients of the NHS in particular rely on the service to keep their sensitive personal details secure. In this case, the Trust failed significantly in its duty to its patients, and also to its staff.”