Brighton hospital fined record £325,000 over data theft
- 1 June 2012
- From the section Sussex
A hospital trust has been fined £325,000 after computer hard drives containing confidential information on thousands of patients were stolen.
The Information Commissioner's Office (ICO) said the fine, for Brighton and Sussex University Hospitals NHS Trust, was the highest it had ever imposed.
Personal data belonging to patients and staff was taken from Brighton General Hospital in September 2010.
The trust said it could not afford to pay the fine and would appeal.
Highly sensitive personal data belonging to tens of thousands of people, including some relating to HIV and Genito Urinary Medicine patients, was discovered on hard drives sold on eBay in October and November 2010.
The ICO said the data included details of patients' medical conditions and treatment, disability living allowance forms and children's reports.
Destroy hard drives
It also included staff details including National Insurance numbers, home addresses, ward and hospital IDs, and information referring to criminal convictions and suspected offences.
The data breach occurred when an individual working for the trust's IT service provider, Sussex Health Informatics Service (HIS), was told to destroy approximately 1,000 hard drives at Brighton General Hospital.
A data recovery company bought four hard drives from a seller on eBay, who had purchased them from the individual.
The ICO said the trust was unable to explain how the individual removed at least 252 of the hard drives that were supposed to be destroyed from the hospital.
The worker was not believed to have known the key code needed to access the room where the drives were stored, and was usually supervised by staff working for HIS.
The ICO's deputy commissioner David Smith said the fine reflected the gravity and scale of the data breach.
"It sets an example for all organisations - both public and private - of the importance of keeping personal information secure," he said.
The trust's chief executive, Duncan Selbie, said no sensitive data had entered the public domain.
"We dispute the Information Commissioner's findings, especially that we were reckless, and a requirement for any fine," he said.
"We arranged for an experienced NHS IT service provider to safely dispose of our redundant hard drives and acted swiftly to recover, without exception, those that their sub-contractor placed on eBay.
"It is a matter of frank surprise that we still do not know why they have imposed such an extraordinary fine."