Brighton and Sussex University Hospitals NHS Trust has been issued the highest ever fine by the Information Commissioner’s Office.
The £325,000 fine is for breaching the Data Protection Act, after a contractor that the trust paid to destroy hundreds of hard drives instead sold them on eBay.
It is the largest handed down by the ICO since it was granted the power to issue fines in April 2010.
More than 250 hard drives containing highly sensitive personal data on tens of thousands of patients and staff were sold on eBay in October and November 2010.
The data included details of patients’ medical conditions and treatment, disability living allowance forms and children’s reports. It also included documents containing staff details including National Insurance numbers, home addresses, ward and hospital IDs.
The data breach occurred when a man engaged by the Trust’s IT service provider, Sussex Health Informatics Service, was employed to destroy approximately 1000 hard drives held in a room accessed by key code at Brighton General Hospital in September and October 2010.
His theft of more than 250 hard drives was discovered when a data recovery company bought four of them online and contacted the trust.
A statement from the ICO said the office was assured in its initial investigation following this discovery that only these four hard drives were stolen.
However, it was contacted by a university in April 2011 because a student had bought a hard drive containing the sensitive information.
“The trust has been unable to explain how the individual removed at least 252 of the approximate 1000 hard drives they were supposed to destroy from the hospital during their five days on site,” the ICO said.
“They are not believed to have known the key code needed to access the room where the drives were stored, and were usually supervised by staff working for HIS. However, the Trust has acknowledged that the individual would have left the building for breaks, and that the hospital is publicly accessible.”
The ICO originally proposed a fine of £375,000 in January this year. The trust challenged the decision, saying it was the victim of a crime itself.
ICO deputy dommissioner and director of data protection David Smith said the size of the fine reflected the “gravity and scale of the data breach”.
“It sets an example for all organisations – both public and private – of the importance of keeping personal information secure,” he said.
“In this case, the trust failed significantly in its duty to its patients, and also to its staff.”
BSUH has committed to providing a secure central store for hard drives and other media, reviewing the process for vetting potential IT suppliers, obtaining the services of a fully accredited ISO 27001 IT waste disposal company, and making progress towards central network access.
All stolen hard drives have since been recovered with the help of the Sussex police, NHS Counter Fraud and the ICO.