Brighton and Sussex University Hospitals NHS Trust may become the first NHS trust to be fined by the Information Commissioner’s Office for breaching the Data Protection Act, after a contractor that it paid to destroy hundreds of hard drives instead sold them on eBay.
More than 200 hard drives with information on many thousands of patients and staff were sold over the internet auction site, but have since been recovered.
Trust chief executive Duncan Selbie said it had received a notice from the ICO proposing a fine of £375,000 for the data breach. Selbie said the trust was the victim of a crime and was going to challenge the fine.
“We subcontracted the destruction of these hard drives to a registered contractor who subsequently sold them on eBay,” he said.
“As soon as we were alerted to this, we informed the police and with their help we recovered all the hard drives stolen by this individual.
“We are confident that there is a very low risk of any of the data from them having passed into the public domain.”
The Argus newspaper reported that 232 hard drives were taken from computers in a locked store at Brighton General Hospital, while1,000 drives were being decommissioned.
A 36-year-old man from Seaford was arrested on suspicion of theft and bailed several times, but the Crown Prosecution Service decided to take no further action, the report said.
The Sussex Health Informatics Service had appointed a contractor to dispose of the drives on the trust’s behalf. In December 2010, it discovered that four of the drives had been bought by a data recovery organisation on eBay when the buyer contacted the trust.
All stolen hard drives have since been recovered with the help of the Sussex police, NHS Counter Fraud and the ICO.
An ICO spokesperson said it could not comment on the case because it was an ongoing investigation.
“The ICO is currently making enquiries into a possible breach of the Data Protection Act and is unable to speculate on what action will be taken at this time,” he said.
The ICO was given powers to impose fines of up to £500,000 for breaches of the Data Protection Act in April 2010. The ICO website says that when determining the size of a fine it takes into account the seriousness of the breach and the financial resources of the data controller.
Nine fines have been imposed so far – seven of them on councils – ranging from £1,000 to £130,000. No fines have yet been handed down to an NHS organisation.