Brighton and Sussex University Hospitals NHS Trust has paid a fine of £260,000 after a contractor sold hard drives containing patient information on eBay.
In June this year, the Information Commissioner’s Office issued the trust with a record-high fine of £325,000 for breaching the Data Protection Act.
The trust told eHealth Insider at the time that it “simply cannot afford to pay” and it would appeal to the Information Tribunal.
However, the trust’s annual report for 2011-12 says a reduced fine of £260,000 has been paid. Fines are reduced by 20% if paid within a certain time frame.
The report says the trust made “extensive written and oral representations on the notice of intent” issued in May, but paid the fine in June.
The breach occurred after a contractor that the trust paid to destroy hundreds of hard drives, containing sensitive patient information, instead sold them on eBay.
The annual report says that the hard drives were sold by a person whose company had been engaged by the Sussex Health Informatics Service to destroy them.
“All of the drives were recovered or otherwise accounted for and [the trust] remains confident that no patient identifiable data entered the public domain.
"[Brighton and Sussex's] membership of the Sussex HIS concluded at the end of the 2011-12 financial year,” it adds.
“As part of bringing ownership of IT services back in-house, which took place on 1 April 2012, [the trust] has taken appropriate steps to strengthen the processes relating to the disposal of redundant hard drives.
"[This includes] a stringent due diligence process for the engagement of contractors in the wiping and disposal of redundant hard drives.
“Through the internal auditors, the audit committee will be ensuring that the trust’s information governance arrangements are subject to a rigorous process of continuous improvement and that appropriate training continues to be provided to staff in addition to that which is given during the induction process.”
© 2012 EHealth Media.
Harsh?Tim Turner 134 weeks ago
The reason for the fine is the inadequacies of the contracts in place. If the contracts had been more robust, a fine would have been impossible. So it's entirely possible that BSUH have no route to recover anything from their contractors. Moreover, they spent 180,000 on legal fees before paying up, so the total figure they paid out on this case is around 400,000.
What is the pointInter Ested 135 weeks ago
Of fining trusts? The service will fall even lower. Just fire whoever was responsible/accountable for the breach. Why should patients and other staff suffer as a result of someone failing to follow process?
Hold on...BenA 135 weeks ago
I'm not debating if the Trust is accountable. We live in a world where contracting or outsourcing is fairly common in the NHS. You can buy software to erase data on drives but how many Trust's across the UK have the capability to physically destroy hard drives or have the resources to go around wiping them. Yes, BSUH are liable but all I am asking is surely the contractor should be taking some flack or the Trust pursuing them for breach of contract. Let me ask the question, for any Healthcare organisation who has outsourced some form of ICT service, how can they be sure that a situation like this doesn't happen again? If you cannot put your faith in a contractor, then what are we saying, the NHS should never use contractors? Fact is, if the contractor did what they were meant to be doing we would having this conversation, so why they getting away scott free while BSUH, the taxpayer (I assume) pick up the bill and other patient services must suffer?
The "Wake up" fineWorking in IT NHS 127 weeks ago
I have been working in the NHS for too many years now, and the general perception of risk is "its always someone else's job...." Not so long ago I was involved in a project in which a Trust had 12,000 individuals in AD yet only 8,000 staff. When I asked where the other 4,000 had come from - the response was blank looks and shrugging of shoulders. Meaning any one of 4000x ex employees could have walked onto site and regained access to sensitive data. Their approach at the time was "shhhh"" don't tell anyone
So the same principles apply here with BSUH. No matter where the data, on site, off site with an employee of the Trust at his home location or with a contractor, the fundamental issue is that BSUH owned that data and is wholly responsible - no "if's no buts" - no excuses.
What this event has given rise to within the NHS is almost a knee jerk reaction. Alot of Trusts are now taking disposal and data destruction more seriously.
I think the next breach in general will be with mobile phones - because if we thought the process and assumptions were slack with hard drive data - you couldn't begin to imagine the absolute naivety on mobile devices.....
the capability to physically destroy hard drivesmrtablet 135 weeks ago
Silverline HA03B 8 Ounce Hardwood Shaft Claw Hammer:
GBP 3.53 Amazon.UK accessed at time of posting above.
Other brands of hammer are available. If only all IT problems were as simple to solve.
"The Facts"george385 135 weeks ago
The fact is we don't know the facts. I would have expected the trust to be savvy enough to ensure that destruction of the data on the disks were part of the agreed work to be done.
If it wasn't then I suggest that someone was guilty of criminal negligence.
Accountabilitygeorge385 135 weeks ago
Should the trust be accountable? YES it should. The trust had a duty to ensure that patients data is protected and respected at all times. Keeping ones fingers crossed when dealing with other people's confidential data just isn't good enough.
Harsh on BSUHBenA 135 weeks ago
"The data controller remains liable". But surely BSUH will be taking action against the contractor (or Sussex HIS whom will be taking action again the contractor). BSUH (I assume) paid for a service and the contractor had a duty of care to destroy the drives in accordance with NHS terms and conditions and basic destruction guidelines. Breach of contract?