NHS trust to challenge largest ever £325k data breach fine

01 June 2012

An NHS trust in Brighton has been slammed with a £325,000 fine by the Information Commissioner's Office (ICO) after hard drives were sold online containing sensitive data on tens of thousands of patients and staff. But the trust disputes the ICO's findings and is to appeal against the fine which it said it cannot afford.

Brighton and Sussex University Hospitals NHS Trust was served with the largest ever data breach penalty, after it was discovered that highly sensitive personal data, some which belonged to HIV and Genito Urinary Medicine (GUM) patients, had been stored on hard drives sold on an internet auction site back in 2010, the ICO said.

Data was found to have included details of patients' medical conditions and treatment, disability living allowance forms and children's reports. National Insurance numbers, home addresses, ward and hospital IDs, and information on criminal convictions and suspected offences, were also discovered.

The breach took place when an individual was engaged by the trust's IT provider, Sussex Health Informatics Service, to destroy 1,000 hard drives in a key code accessed room at Brighton General Hospital during September and October 2010.

A data recovery company then bought four hard drives in December that year from an online seller, who had purchased them from the individual.

The ICO was initially assured that only these four hard drives had been affected. But it then emerged in April 2011 that a university student had purchased hard drives containing the trust's information.

The regulator said the individual removed at least 252 of the hard drives they were supposed to destroy during their five days on site, but that the trust could not explain how given that the individual was not believed to know the room's key code and that the IT provider's staff were usually supervising. However, it was acknowledged that the individual would have left the building for breaks, and that the hospital is publicly accessible.

ICO deputy commissioner David Smith said the fine issued reflected the "gravity and scale of the data breach".

"It sets an example for all organisations - both public and private - of the importance of keeping personal information secure," he said.

"Patients of the NHS in particular rely on the service to keep their sensitive personal details secure. In this case, the trust failed significantly in its duty to its patients, and also to its staff."

But the trust does not accept the ICO's conclusions. Duncan Selbie, chief executive of Brighton and Sussex University Hospitals insisted no data entered the public domain, disputing the requirement for the fine and disagreeing that the trust had been "reckless".

"We arranged for an experienced NHS IT service provider to safely dispose of our redundant hard drives and acted swiftly to recover, without exception, those that their sub-contractor placed on eBay," he said. "No sensitive data has therefore entered the public domain."

Selbie said the ICO had told him last summer that the case was not worthy of a fine. "The Information Commissioner has ignored our extensive representations," he said. "It is a matter of frank surprise that we still do not know why they have imposed such an extraordinary fine.

"In a time of austerity, we have to ensure more than ever that we deliver the best and safest care to our patients with the money that we have available. We simply cannot afford to pay a £325,000 fine and are therefore appealing to the information tribunal."