Brighton hospital fined record £325,000 over data theft

Brighton General Hospital The trust was fined after computers taken from Brighton General Hospital were found on eBay

Related Stories

A hospital trust has been fined £325,000 after computer hard drives containing confidential information on thousands of patients were stolen.

The Information Commissioner's Office (ICO) said the fine, for Brighton and Sussex University Hospitals NHS Trust, was the highest it had ever imposed.

Personal data belonging to patients and staff was taken from Brighton General Hospital in September 2010.

The trust said it could not afford to pay the fine and would appeal.

Highly sensitive personal data belonging to tens of thousands of people, including some relating to HIV and Genito Urinary Medicine patients, was discovered on hard drives sold on eBay in October and November 2010.

The ICO said the data included details of patients' medical conditions and treatment, disability living allowance forms and children's reports.

Destroy hard drives

It also included staff details including National Insurance numbers, home addresses, ward and hospital IDs, and information referring to criminal convictions and suspected offences.

Start Quote

We still do not know why they have imposed such an extraordinary fine”

End Quote Duncan Selbie Brighton and Sussex University Hospitals NHS Trust

The data breach occurred when an individual working for the trust's IT service provider, Sussex Health Informatics Service (HIS), was told to destroy approximately 1,000 hard drives at Brighton General Hospital.

A data recovery company bought four hard drives from a seller on eBay, who had purchased them from the individual.

The ICO said the trust was unable to explain how the individual removed at least 252 of the hard drives that were supposed to be destroyed from the hospital.

The worker was not believed to have known the key code needed to access the room where the drives were stored, and was usually supervised by staff working for HIS.

'Dispute findings'

The ICO's deputy commissioner David Smith said the fine reflected the gravity and scale of the data breach.

"It sets an example for all organisations - both public and private - of the importance of keeping personal information secure," he said.

The trust's chief executive, Duncan Selbie, said no sensitive data had entered the public domain.

"We dispute the Information Commissioner's findings, especially that we were reckless, and a requirement for any fine," he said.

"We arranged for an experienced NHS IT service provider to safely dispose of our redundant hard drives and acted swiftly to recover, without exception, those that their sub-contractor placed on eBay.

"It is a matter of frank surprise that we still do not know why they have imposed such an extraordinary fine."

More on This Story

Related Stories

The BBC is not responsible for the content of external Internet sites

BBC Sussex

Weather

Brighton

Min. Night 4 °C

Features

BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.