Belfast Health Trust fined £225,000 over patient records breach
The Belfast Health Trust has been fined £225,000 after thousands of patient records were found abandoned in a disused hospital.
The Information Commission imposed the fine because the trust failed to secure confidential files at Belvoir Park Hospital, which closed in 2006.
Last year, the Irish News revealed that thieves entered the site, stole records and posted some on the internet.
The trust has apologised for the breach and said it has learned lessons.
The Information Commissioner's Office has told the BBC that the trust has been served with the £225,000 fine - known as a Civil Monetary Penalty (CMP) - following a serious breach of the Data Protection Act (DPA).
Assistant Commissioner for Northern Ireland Ken MacDonald said it was the second highest fine since the Information Commission got new powers in 2010.
The breach involved the sensitive personal data of many thousands of patients and included medical records, X-rays, scans and laboratory results.
It also involved 15,000 staff records, including unopened pay-slips.
Health Minister Edwin Poots said the fine was "deeply regrettable".
"The level of fine is very significant," he said. "I think it reflects the scale of the incident. It should never have happened in the first instance.
"I bear no grudge with the Information Commissioner for the fine. It's £225,000 that the Belfast Trust could ill afford to lose."
Mr Poots said he hoped that it would be a "lesson to everyone that's involved in public life about the security of documents".
"It's very unfortunate that others would have come in to actually view those documents but, none the less, the opportunity should never have been available to them in the first instance," he said.
Belvoir Park Hospital in south Belfast was closed to patients in 2006 when a new cancer hospital was built at Belfast City Hospital.
Belfast Health Trust took over responsibility for the building in 2007 as part of a major trust reorganisation.
However, management failed to properly secure the building and the thousands of records inside it.
The disused site became home to many vandals who broke in and stole confidential data.
The thieves even posted some of the records on the internet, including X-rays and scans, in an attempt to sell the material.
The trust's medical director, Dr Tony Stevens, told the BBC that it was a very serious incident.
"On behalf of the trust I apologise to all those who were caught up in this. Also the families and the staff. It shouldn't have happened and we are deeply sorry for any hurt caused."
Dr Stevens went on to say that none of the trust's present management had been involved in the securing of the building back in 2006, as responsibility for building did not pass to the organisation until the following year.
"I accept that in 2007 moving into disused buildings was not our priority back then. We thought the site had been properly secured by the previous managers - when sadly it wasn't suffice.
"These were highly confidential notes which should have been destroyed when the hospital closed. They now have," Dr Stevens added.
An early payment clause means the fine will be reduced to £180,000.
The Belfast Health Trust has accepted that it is "unfortunate" that the fine will be paid out of its efficiency savings - money which could have funded jobs, equipment or subsidised car parking fees.
Instead, it will go on a paying a fine which the trust admits was a "mistake".
"We fully accept the seriousness of this and have learnt lessons.
"We now have gone into the 50 empty buildings which we own and made sure there are no public records left. All have been removed," a spokesperson confirmed.
The trust insisted that no one came to harm over the breach of security.
Ten people contacted the help line which was set up at the time while three people lodged complaints.