Brighton faces fine for drives on eBay

News

  • 11 January 2012
Brighton faces fine for drives on eBay
Brighton and Sussex University Hospitals NHS Trust declared a major incident after trouble with its IT system
DHI News Team
December 1, 2016

Brighton and Sussex University Hospitals NHS Trust may become the first NHS trust to be fined by the Information Commissioner’s Office for breaching the Data Protection Act, after a contractor that it paid to destroy hundreds of hard drives instead sold them on eBay.

More than 200 hard drives with information on many thousands of patients and staff were sold over the internet auction site, but have since been recovered.

Trust chief executive Duncan Selbie said it had received a notice from the ICO proposing a fine of £375,000 for the data breach. Selbie said the trust was the victim of a crime and was going to challenge the fine.

“We subcontracted the destruction of these hard drives to a registered contractor who subsequently sold them on eBay,” he said.

“As soon as we were alerted to this, we informed the police and with their help we recovered all the hard drives stolen by this individual.

“We are confident that there is a very low risk of any of the data from them having passed into the public domain.”

The Argus newspaper reported that 232 hard drives were taken from computers in a locked store at Brighton General Hospital, while1,000 drives were being decommissioned.

A 36-year-old man from Seaford was arrested on suspicion of theft and bailed several times, but the Crown Prosecution Service decided to take no further action, the report said.

The Sussex Health Informatics Service had appointed a contractor to dispose of the drives on the trust’s behalf. In December 2010, it discovered that four of the drives had been bought by a data recovery organisation on eBay when the buyer contacted the trust.

All stolen hard drives have since been recovered with the help of the Sussex police, NHS Counter Fraud and the ICO.

An ICO spokesperson said it could not comment on the case because it was an ongoing investigation.

“The ICO is currently making enquiries into a possible breach of the Data Protection Act and is unable to speculate on what action will be taken at this time,” he said.

The ICO was given powers to impose fines of up to £500,000 for breaches of the Data Protection Act in April 2010. The ICO website says that when determining the size of a fine it takes into account the seriousness of the breach and the financial resources of the data controller.

Nine fines have been imposed so far – seven of them on councils – ranging from £1,000 to £130,000. No fines have yet been handed down to an NHS organisation.

 

Subscribe To Our Newsletters

Find out more

Subscribe to our newsletter

Subscribe To Our Newsletter

Prev News

North Bristol hits appointment problems

Next News

Southampton buys Amalga for readmissions

Related News

Digital Health Coffee Time Briefing ☕
News May 19, 2026

Digital Health Coffee Time Briefing ☕

Today's briefing features a blood test to detect Alzheimer’s disease earlier and an AI-imaging software platform to treat lung disease.
Meta found liable for using period-tracking data from Flo Health
AI and Data August 7, 2025

Meta found liable for using period-tracking data from Flo Health

Meta has been found liable by a Californian federal court for using sensitive personal data from Flo Health to run targeted ads.
Reduced fine of £3m imposed on Advanced following cyber attack
News March 27, 2025

Reduced fine of £3m imposed on Advanced following cyber attack

The ICO has reduced Advanced’s fine to £3.07 million for security failures that exposed the personal data of nearly 80,000 people.