Tim HampsonTuesday 5 June 2012

NHS trust to fight record £325k fine for data breach

A hospital trust on the south coast of England has been hit by the highest fine ever handed out by the Information Commissioner's Office (ICO) since its power to issue fines was granted in April 2012.

Brighton and Sussex University Hospitals NHS Trust has been served with a fine of £325,000 following a serious breach of the Data Protection Act (DPA), following discovery of highly sensitive data files belonging to tens of thousands of patients and staff on hard drives sold on eBay in October and November 2010.

The data included details of patients' medical conditions and treatment, disability living allowance forms and children's reports. It also included documents containing staff details including national insurance numbers, home addresses, ward and hospital IDs, and information referring to criminal convictions and suspected offences.

The ICO's deputy commissioner and director of data protection, David Smith, said the magnitude of the fine reflected the gravity and scale of the data breach. He said that the size of the fine would set an example to all organisations - both public and private but especially the NHS - "of the importance of keeping sensitive, personal information secure".

"In this case, the Trust failed significantly in its duty to its patients, and also to its staff," said Smith.

The data breach occurred when someone engaged by the trust's IT service provider, Sussex Health Informatics Service, was tasked to destroy approximately 1000 hard drives held in a room accessed by key code at Brighton General Hospital in September and October 2010. A data recovery company bought four hard drives from a seller on eBay in December 2010, who had purchased them from the individual.

In total, more than 250 hard drives were removed, without the data they contained bring destroyed and the ICO says the trust could not explain how its security was breached.

But the trust does not accept the ICO's conclusions and says that it will fight against them. Duncan Selbie, trust chief executive, insisted that no data entered the public domain - disputing the requirement for the fine and disagreeing that the trust had been "reckless".

"We arranged for an experienced NHS IT service provider to safely dispose of our redundant hard drives and acted swiftly to recover, without exception, those that their sub-contractor placed on eBay.

"No sensitive data has therefore entered the public domain. We reported all of this voluntarily to the Information Commissioner's Office, who told me last summer that this was not a case worthy of a fine.

"The Information Commissioner has ignored our extensive representations. It is a matter of frank surprise that we still do not know why they have imposed such an extraordinary fine despite repeated attempts to find out, including a freedom of information request which they interestingly refused on the basis that it would "prejudice the monetary penalty process".

The trust said that it could not afford to pay the fine and would appeal to the Information tribunal.

The trust has now committed to providing a secure central store for hard drives and other media, reviewing the process for vetting potential IT suppliers, obtaining the services of a fully accredited ISO 27001 IT waste disposal company, and making progress towards central network access.

Brighton and Sussex University Hospital's NHS Trust is not the first to contest an ICO ruling: Central London Community Healthcare (CLCH) NHS Trust last week instructed lawyers to challenge a £90,000 fine from the ICO, applied after 59 patients' records were faxed to the wrong person time 59 times over a three-month period, between March and June last year.